feat(forgejo-runners): Use /data/slow/nix and not /data/slow/nix/nix

The upstream module should be updated to reflect that, use rootPath instead of storePath
chore(lix): Use the global patch infrastructure for lix
2024-11-22 14:04:35 +01:00 · 2024-11-22 12:56:39 +01:00 · 2024-11-21 15:13:25 +01:00 · 2024-11-19 00:53:33 +01:00 · 2024-11-19 00:40:15 +01:00 · 2024-11-19 00:13:49 +01:00
218 changed files with 10409 additions and 3069 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,2 @@
+watch_file workflows/*
 use nix
--- a/.forgejo/workflows/check-meta.yaml
+++ b/.forgejo/workflows/check-meta.yaml
@ -1,25 +1,21 @@
+jobs:
+  check_dns:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check the validity of the DNS configuration
+      run: nix-build meta/verify.nix -A dns
+  check_meta:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check the validity of meta options
+      run: nix-build meta/verify.nix -A meta
 name: Check meta
 on:
  pull_request:
    branches:
-      - main
+    - main
  push:
    paths:
-      - 'meta/*'
-
-jobs:
-  check_meta:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of meta options
-        run: nix-build meta/verify.nix -A meta
-
-  check_dns:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of the DNS configuration
-        run: nix-build meta/verify.nix -A dns --no-out-link
+    - meta/*
--- a/.forgejo/workflows/check-workflows.yaml
+++ b/.forgejo/workflows/check-workflows.yaml
@ -0,0 +1,16 @@
+jobs:
+  check_workflows:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check that the workflows are up to date
+      run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
+        -eq 0 ]'
+name: Check workflows
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    paths:
+    - workflows/*
--- a/.forgejo/workflows/ds-fr.yaml
+++ b/.forgejo/workflows/ds-fr.yaml
@ -1,56 +0,0 @@
-name: ds-fr update
-on:
-  schedule:
-    - cron: "26 18 * * wed"
-
-jobs:
-  npins_update:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-
-      - name: Update DS and open PR if necessary
-        run: |
-          # Fetch the latest release tag
-          VERSION=$(curl -L \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
-          | jq -r '.tag_name')
-
-          # Move to the ds-fr directory
-          cd machines/compute01/ds-fr/package
-
-          # Run the update script
-          ./update.sh -v "$VERSION"
-
-          if [ ! -z "$(git diff --name-only)" ]; then
-            echo "[+] Changes detected, pushing updates."
-
-            git switch -C ds-update
-
-            git add .
-
-            git config user.name "DGNum Chores"
-            git config user.email "tech@dgnum.eu"
-
-            git commit --message "chore(ds-fr): Update"
-            git push --set-upstream origin ds-update --force
-
-            # Connect to the server with the cli
-            tea login add \
-              -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-              -u https://git.dgnum.eu
-
-            # Create a pull request if needed
-            # i.e. no PR with the same title exists
-            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
-              tea pr create \
-                --description "Automatic ds-fr update" \
-                --title "chore(ds-fr): Update" \
-                --head ds-update
-            fi
-          fi
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -0,0 +1,119 @@
+jobs:
+  bridge01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: bridge01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache bridge01
+      run: nix-shell -A eval-nodes --run cache-node
+  compute01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: compute01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache compute01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo02
+      run: nix-shell -A eval-nodes --run cache-node
+  rescue01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: rescue01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache rescue01
+      run: nix-shell -A eval-nodes --run cache-node
+  storage01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: storage01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache storage01
+      run: nix-shell -A eval-nodes --run cache-node
+  vault01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: vault01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache vault01
+      run: nix-shell -A eval-nodes --run cache-node
+  web01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web01
+      run: nix-shell -A eval-nodes --run cache-node
+  web02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web02
+      run: nix-shell -A eval-nodes --run cache-node
+  web03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web03
+      run: nix-shell -A eval-nodes --run cache-node
+name: Build all the nodes
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@ -1,88 +0,0 @@
-name: build configuration
-on:
-  pull_request:
-    types: [opened, synchronize, edited, reopened]
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-jobs:
-  build_compute01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build compute01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on compute01'
-
-  build_storage01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build storage01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on storage01'
-
-  build_vault01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build vault01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on vault01'
-
-  build_web01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build web01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web01'
-
-  build_web02:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build web02
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web02'
-
-  build_rescue01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build rescue01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on rescue01'
-
-  push_to_cache:
-    runs-on: nix
-    needs:
-      - build_compute01
-      - build_storage01
-      - build_vault01
-      - build_web01
-      - build_web02
-      - build_rescue01
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Push to cache
-        run: nix-shell --run push-to-cache
-        env:
-          ATTIC_ENDPOINT: "https://cachix.dgnum.eu"
-          ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -1,11 +0,0 @@
-name: lint
-on: push
-
-jobs:
-  check:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Run pre-commit on all files
-        run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
--- a/.forgejo/workflows/npins-update.yaml
+++ b/.forgejo/workflows/npins-update.yaml
@ -0,0 +1,25 @@
+jobs:
+  npins_update:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        depth: 0
+        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
+    - name: Update dependencies and open PR if necessary
+      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
+        \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
+        \n  git add npins\n\n  git config user.name \"DGNum Chores\"\n  git config
+        user.email \"tech@dgnum.eu\"\n\n  git commit --message \"chore(npins): Update\"\
+        \n  git push --set-upstream origin npins-update --force\n\n  # Connect to
+        the server with the cli\n  tea login add \\\n    -n dgnum-chores \\\n    -t
+        \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n    -u https://git.dgnum.eu\n\
+        \n  # Create a pull request if needed\n  # i.e. no PR with the same title
+        exists\n  if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
+        Update dgnum-chores')\" ]; then\n    tea pr create \\\n      --description
+        \"Automatic npins update\" \\\n      --title \"chore(npins): Update\" \\\n\
+        \      --head npins-update\n  fi\nfi\n"
+name: npins update
+on:
+  schedule:
+  - cron: 25 15 * * *
--- a/.forgejo/workflows/pre-commit.yaml
+++ b/.forgejo/workflows/pre-commit.yaml
@ -0,0 +1,12 @@
+jobs:
+  check:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run pre-commit on all files
+      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
+        pre-push --show-diff-on-failure'
+name: Run pre-commit on all files
+on:
+- push
+- pull_request
--- a/README.md
+++ b/README.md
@ -8,3 +8,110 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.
 You're expected to read this document before commiting to the repo.

 Some documentation for the development tools are provided in the aforementioned file.
+
+# Using the binary cache
+
+Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
+```
+{ lib, ... }:
+let
+  dgnum-infra = PINNED_PATH_TO_INFRA;
+in {
+  nix.settings = (import dgnum-infra { }).mkCacheSettings {
+    caches = [ "infra" ];
+  };
+}
+```
+
+
+# Adding a new machine
+
+The first step is to create a minimal viable NixOS host, using tha means necessary.
+The second step is to find a name for this host, it must be unique from the other hosts.
+
+> [!TIP]
+> For the rest of this part, we assume that the host is named `host02`
+
+## Download the keys
+
+The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
+
+It can be retreived with :
+
+```bash
+ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
+```
+
+## Initialize the machine folder and configuration
+
+- Create a folder `host02` under `machines/`
+- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
+- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
+
+```nix
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
+```
+
+## Fill in the metadata
+
+### Network configuration
+
+The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
+
+```bash
+head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
+```
+
+### Other details
+
+The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
+
+- `site`, where the node is physically located
+- `stateVersion`
+- `nixpkgs`, the nixpkgs version to use
+
+## Initialize secrets
+
+Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
+
+```nix
+(import ../../../keys).mkSecrets [ "host02" ] [
+  # List of secrets for host02
+]
+```
+
+This will be used for future secret management.
+
+## Update encrypted files
+
+Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
+
+```bash
+agenix -r
+```
+
+## Commit and create a PR
+
+Once all of this is done, check that the configuration builds correctly :
+
+```bash
+colmena build --on host02
+```
+
+Apply it, and create a Pull Request.
--- a/default.nix
+++ b/default.nix
@ -34,28 +34,63 @@
  termes.
 */

+{
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
+  nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
+}:
+
 let
-  sources = import ./npins;
-  pkgs = import sources.nixpkgs { };
-  pre-commit-check = (import sources.pre-commit-hooks).run {
+  inherit (pkgs.lib)
+    isFunction
+    mapAttrs
+    mapAttrs'
+    nameValuePair
+    removeSuffix
+    ;
+
+  git-checks = (import sources.git-hooks).run {
    src = ./.;

    hooks = {
-      # Nix Hooks
-      statix.enable = true;
-      deadnix.enable = true;
-      rfc101 = {
+      statix = {
        enable = true;
-
-        name = "RFC-101 formatting";
-        entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
-        files = "\\.nix$";
+        stages = [ "pre-push" ];
+        settings.ignore = [
+          "**/lon.nix"
+          "**/npins"
+        ];
+      };
+
+      deadnix = {
+        enable = true;
+        stages = [ "pre-push" ];
+      };
+
+      nixfmt-rfc-style = {
+        enable = true;
+        stages = [ "pre-push" ];
      };

-      # Misc Hooks
      commitizen.enable = true;
    };
  };
+
+  workflows = (import sources.nix-actions { inherit pkgs; }).install {
+    src = ./.;
+
+    workflows = mapAttrs' (
+      name: _:
+      nameValuePair (removeSuffix ".nix" name) (
+        let
+          w = import ./workflows/${name};
+        in
+        if isFunction w then w { inherit (pkgs) lib; } else w
+      )
+    ) (builtins.readDir ./workflows);
+  };
+
+  scripts = import ./scripts { inherit pkgs; };
 in

 {
@ -65,39 +100,37 @@ in

  dns = import ./meta/dns.nix;

-  shells = {
-    default = pkgs.mkShell {
-      name = "dgnum-infra";
+  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;

-      packages =
-        (with pkgs; [
-          npins
-          nixos-generators
-          attic-client
-          picocom
-          kanidm # for remote SSO operations
-          freeradius # for radtest
-          (callPackage (sources.liminix + "/pkgs/min-copy-closure") { nix = pkgs.lix; })
-          (callPackage (sources.liminix + "/pkgs/min-collect-garbage") { nix = pkgs.lix; })
-          (callPackage (sources.liminix + "/pkgs/tufted") { })
-          (callPackage (sources.disko + "/package.nix") { })
-          (callPackage ./lib/colmena { colmena = import sources.colmena; })
-        ])
-        ++ (import ./scripts { inherit pkgs; });
+  devShell = pkgs.mkShell {
+    name = "dgnum-infra";

-      shellHook = ''
-        ${pre-commit-check.shellHook}
-      '';
+    packages = [
+      (pkgs.nixos-generators.overrideAttrs (_: {
+        version = "1.8.0-unstable";
+        src = sources.nixos-generators;
+      }))
+      pkgs.npins

-      preferLocalBuild = true;
-    };
+      (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
+      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+    ] ++ (builtins.attrValues scripts);

-    pre-commit = pkgs.mkShell {
-      name = "pre-commit-shell";
+    shellHook = ''
+      ${git-checks.shellHook}
+      ${workflows.shellHook}
+    '';

-      shellHook = ''
-        ${pre-commit-check.shellHook}
-      '';
+    preferLocalBuild = true;
+
+    ###
+    # Alternative shells
+
+    passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
+      pre-commit.shellHook = git-checks.shellHook;
+      check-workflows.shellHook = workflows.shellHook;
+      eval-nodes.packages = [ scripts.cache-node ];
    };
  };
 }
--- a/hive.nix
+++ b/hive.nix
@ -1,174 +1,102 @@
 let
-  sources = import ./npins;
+  sources' = import ./npins;

-  lib = import (sources.nix-lib + "/src/trivial.nix");
-  lib' = (import sources.nixos-unstable { }).lib;
+  # Patch sources directly
+  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
+    .applyPatches' sources';

-  patch = import sources.nix-patches { patchFile = ./patches; };
+  nix-lib = import ./lib/nix-lib;
+
+  patch = import ./lib/nix-patches { patchFile = ./patches; };

  nodes' = import ./meta/nodes.nix;
  nodes = builtins.attrNames nodes';

  mkNode = node: {
    # Import the base configuration for each node
-    imports = builtins.map (lib.mkRel (./machines/${node})) [
-      "_configuration.nix"
-      "_hardware-configuration.nix"
-    ];
-
-    deployment.systemType = systemType node;
+    imports = [ ./machines/${node}/_configuration.nix ];
  };

  nixpkgs' = import ./meta/nixpkgs.nix;
-
  # All supported nixpkgs versions, instanciated
-  nixpkgs = lib.mapSingleFuse (
-    s: lib.mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions.supported
-  ) nixpkgs'.systems.supported;
+  nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;

  # Get the configured nixos version for the node,
  # defaulting to the one defined in meta/nixpkgs
-  version = node: nodes'.${node}.nixpkgs or nixpkgs'.versions.default;
-  system = node: nodes'.${node}.system or nixpkgs'.systems.default;
-  systemType =
-    node:
-    nodes'.${node}.system
-      or (lib'.warn "Not specifying the `deployment.systemType` is deprecated!" "nixos");
+  version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;

  # Builds a patched version of nixpkgs, only as the source
  mkNixpkgs' =
    v:
-    let
-      version = "nixos-${v}";
-    in
-    patch.mkNixpkgsSrc {
-      src = sources.${version};
-      inherit version;
+    patch.mkNixpkgsSrc rec {
+      src = sources'.${name};
+      name = "nixos-${v}";
    };

-  mkNixpkgsConfigPerSystem =
-    system: _:
-    if system == "nixos" then
-      { }
-    else
-      (import "${sources.liminix}/devices/${system}").system
-      // {
-        overlays = [ (import "${sources.liminix}/overlay.nix") ];
-        config = {
-          allowUnsupportedSystem = true; # mipsel
-          permittedInsecurePackages = [
-            "python-2.7.18.8" # Python < 3 is needed for kernel backports.
-          ];
-        };
-      };
-
-  # Instanciate a specialized version of nixpkgs
-  mkSystemNixpkgs =
-    system: version:
-    let
-      args = mkNixpkgsConfigPerSystem system version;
-    in
-    import (mkNixpkgs' version) args;
+  # Instanciates the required nixpkgs version
+  mkNixpkgs = version: import (mkNixpkgs' version) { };

  ###
  # Function to create arguments based on the node
  #
-  mkArgs =
-    node:
-    let
-      pkgs = nixpkgs.${system node};
-    in
-    rec {
-      lib = import sources.nix-lib {
-        inherit (pkgs.${version node}) lib;
-
-        nixpkgs = pkgs;
-
-        keysRoot = ./keys;
-      };
-
-      meta = (import ./meta) lib;
-
-      nodeMeta = meta.nodes.${node};
+  mkArgs = node: rec {
+    lib = nixpkgs.${version node}.lib // {
+      extra = nix-lib;
    };
+
+    meta = (import ./meta) lib;
+
+    nodeMeta = meta.nodes.${node};
+  };
 in

 {
-  registry = {
-    zyxel-nwa50ax = {
-      evalConfig = import "${sources.liminix}/lib/eval-config.nix" {
-        nixpkgs = sources.nixos-unstable;
-      };
-
-      defaults = _: {
-        nixpkgs = {
-          source = sources.nixos-unstable;
-          config = {
-            allowUnsupportedSystem = true; # mipsel
-            permittedInsecurePackages = [
-              "python-2.7.18.8" # Python < 3 is needed for kernel backports.
-            ];
-          };
-          hostPlatform = {
-            config = "mipsel-unknown-linux-musl";
-            gcc = {
-              abi = "32";
-              arch = "mips32"; # mips32r2?
-            };
-          };
-
-          # It's impure, but who cares?
-          # Can Flakes do that?
-          buildPlatform = builtins.currentSystem;
-        };
-      };
-    };
-
-    nixos = {
-      evalConfig = import "${sources.nixos-unstable}/nixos/lib/eval-config.nix";
-      defaults =
-        { nodeMeta, name, ... }:
-        {
-          # Import the default modules
-          imports = [ ./modules ];
-
-          # Include default secrets
-          age-secrets.sources = [ ./machines/${name}/secrets ];
-
-          # Deployment config is specified in meta.nodes.${node}.deployment
-          inherit (nodeMeta) deployment;
-
-          nix = {
-            # Set NIX_PATH to the patched version of nixpkgs
-            nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
-            optimise.automatic = true;
-
-            gc = {
-              automatic = true;
-              dates = "weekly";
-              options = "--delete-older-than 7d";
-            };
-          };
-
-          # Allow unfree packages
-          nixpkgs.config.allowUnfree = true;
-
-          # Use the stateVersion declared in the metadata
-          system = {
-            inherit (nodeMeta) stateVersion;
-          };
-        };
-    };
-  };
-
  meta = {
-    nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${system n}.${version n}) nodes;
+    nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;

    specialArgs = {
-      inherit sources;
+      inherit nixpkgs sources;
+
+      dgn-keys = import ./keys;
    };

-    nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
+    nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
  };
+
+  defaults =
+    { name, nodeMeta, ... }:
+    {
+      # Import the default modules
+      imports = [
+        ./modules
+        (import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
+      ];
+
+      # Include default secrets
+      age-secrets.sources = [ ./machines/${name}/secrets ];
+
+      # Deployment config is specified in meta.nodes.${node}.deployment
+      inherit (nodeMeta) deployment;
+
+      nix = {
+        # Set NIX_PATH to the patched version of nixpkgs
+        nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
+        optimise.automatic = true;
+
+        gc = {
+          automatic = true;
+          dates = "weekly";
+          options = "--delete-older-than 7d";
+        };
+      };
+
+      # Allow unfree packages
+      nixpkgs.config.allowUnfree = true;
+
+      # Use the stateVersion declared in the metadata
+      system = {
+        inherit (nodeMeta) stateVersion;
+      };
+    };
 }
-// (lib.mapSingleFuse mkNode nodes)
+// (nix-lib.mapSingleFuse mkNode nodes)
--- a/iso/build-iso.sh
+++ b/iso/build-iso.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash

-NIXPKGS=$(nix-build nixpkgs.nix)
+NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)

 nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -1,9 +1,9 @@
 { lib, pkgs, ... }:

 let
-  dgn-lib = import ../lib { };
+  dgn-keys = import ../keys;

-  dgn-members = (import ../meta lib).members.groups.root;
+  dgn-members = (import ../meta lib).organization.groups.root;
 in

 {
@ -11,7 +11,7 @@ in

  boot = {
    blacklistedKernelModules = [ "snd_pcsp" ];
-    kernelPackages = pkgs.linuxPackages_6_1;
+    kernelPackages = pkgs.linuxPackages_latest;
    tmp.cleanOnBoot = true;

    loader = {
@ -22,6 +22,7 @@ in
    supportedFilesystems = [
      "exfat"
      "zfs"
+      "bcachefs"
    ];

    swraid.enable = lib.mkForce false;
@ -33,7 +34,5 @@ in
    openssh.enable = true;
  };

-  users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
-    m: dgn-lib.mkRel ../keys "${m}.keys"
-  ) dgn-members;
+  users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
 }
--- a/iso/nixpkgs.nix
+++ b/iso/nixpkgs.nix
@ -1,5 +1,6 @@
 let
-  inherit (import ../npins) nixpkgs;
+  version = (import ../meta/nixpkgs.nix).default;
+  nixpkgs = (import ../npins)."nixos-${version}";
 in

 (import nixpkgs { }).srcOnly {
--- a/keys/catvayor.keys
+++ b/keys/catvayor.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
--- a/keys/certs/dgnum-ap-server.crt
+++ b/keys/certs/dgnum-ap-server.crt
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
-NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
-RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
-aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
-MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
-RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
-A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
-A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
-QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
-AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
-hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
-daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
-4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
-YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
-qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
-DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
-----END CERTIFICATE-----
--- a/keys/certs/dgnum-test-ap-ca.crt
+++ b/keys/certs/dgnum-test-ap-ca.crt
@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
-BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
-IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
-DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
-MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
-U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
-BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
-FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
-NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
-qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
-b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
-uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
-FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
-Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
-9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
-a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
-ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
-sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
-+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
-WXG5pjBKzojPvxU=
-----END CERTIFICATE-----
--- a/keys/default.nix
+++ b/keys/default.nix
@ -0,0 +1,88 @@
+let
+  _sources = import ../npins;
+
+  meta = import ../meta (import _sources.nixpkgs { }).lib;
+
+  getAttr = flip builtins.getAttr;
+
+  inherit (import ../lib/nix-lib) flip setDefault unique;
+in
+
+rec {
+  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
+  #          If not, you will face an angry maintainer
+  _keys = {
+    # SSH keys of the nodes
+    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
+    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
+    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
+    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
+
+    # SSH keys of the DGNum members
+    agroudiev = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
+    ];
+    catvayor = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+    ];
+    cst1 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
+    ];
+    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
+    gdd = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
+    ];
+    jemagius = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+    ];
+    luj = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+    ];
+    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
+    mdebray = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+    ];
+    raito = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+    ];
+    thubrecht = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+    ];
+  };
+
+  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+
+  mkSecrets =
+    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
+
+  getNodeKeys' =
+    node:
+    let
+      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
+        meta.nodes.${node}.admins ++ [ node ]
+      ) meta.nodes.${node}.adminGroups;
+    in
+    unique (getKeys names);
+
+  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
+
+  # List of keys for the root group
+  rootKeys = getKeys meta.organization.groups.root;
+
+  # List of 'machine' keys
+  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
+}
--- a/keys/ecoppens.keys
+++ b/keys/ecoppens.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA
--- a/keys/gdd.keys
+++ b/keys/gdd.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
--- a/keys/jemagius.keys
+++ b/keys/jemagius.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
--- a/keys/luj.keys
+++ b/keys/luj.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
--- a/keys/machines/compute01.keys
+++ b/keys/machines/compute01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
--- a/keys/machines/geo01.keys
+++ b/keys/machines/geo01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
--- a/keys/machines/geo02.keys
+++ b/keys/machines/geo02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
--- a/keys/machines/rescue01.keys
+++ b/keys/machines/rescue01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
--- a/keys/machines/storage01.keys
+++ b/keys/machines/storage01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
--- a/keys/machines/vault01.keys
+++ b/keys/machines/vault01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
--- a/keys/machines/web01.keys
+++ b/keys/machines/web01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
--- a/keys/machines/web02.keys
+++ b/keys/machines/web02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm
--- a/keys/mdebray.keys
+++ b/keys/mdebray.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
--- a/keys/raito.keys
+++ b/keys/raito.keys
@ -1,3 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
--- a/keys/thubrecht.keys
+++ b/keys/thubrecht.keys
@ -1,3 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,33 +0,0 @@
-_:
-
-let
-  sources = import ../npins;
-
-  lib = import sources.nix-lib {
-    inherit ((import sources.nixpkgs { })) lib;
-
-    keysRoot = ../keys;
-  };
-
-  meta = import ../meta lib;
-
-  inherit (lib.extra) getAllKeys;
-in
-
-lib.extra
-// rec {
-  # Get publickeys associated to a node
-  getNodeKeys =
-    node:
-    let
-      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
-        meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
-      ) meta.nodes.${node}.adminGroups;
-    in
-    rootKeys ++ (getAllKeys names);
-
-  rootKeys = getAllKeys meta.organization.groups.root;
-
-  machineKeys =
-    rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
-}
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -0,0 +1,200 @@
+# Copyright Tom Hubrecht, (2023)
+#
+#  Tom Hubrecht <tom@hubrecht.ovh>
+#
+#  This software is governed by the CeCILL  license under French law and
+#  abiding by the rules of distribution of free software.  You can  use,
+#  modify and/ or redistribute the software under the terms of the CeCILL
+#  license as circulated by CEA, CNRS and INRIA at the following URL
+#  "http://www.cecill.info".
+#
+#  As a counterpart to the access to the source code and  rights to copy,
+#  modify and redistribute granted by the license, users are provided only
+#  with a limited warranty  and the software's author,  the holder of the
+#  economic rights,  and the successive licensors  have only  limited
+#  liability.
+#
+#  In this respect, the user's attention is drawn to the risks associated
+#  with loading,  using,  modifying and/or developing or reproducing the
+#  software by the user in light of its specific status of free software,
+#  that may mean  that it is complicated to manipulate,  and  that  also
+#  therefore means  that it is reserved for developers  and  experienced
+#  professionals having in-depth computer knowledge. Users are therefore
+#  encouraged to load and test the software's suitability as regards their
+#  requirements in conditions enabling the security of their systems and/or
+#  data to be ensured and,  more generally, to use and operate it in the
+#  same conditions as regards security.
+#
+#  The fact that you are presently reading this means that you have had
+#  knowledge of the CeCILL license and that you accept its terms.
+
+let
+  # Reimplement optional functions
+  _optional =
+    default: b: value:
+    if b then value else default;
+in
+
+rec {
+  inherit (import ./nixpkgs.nix)
+    flip
+    hasPrefix
+    recursiveUpdate
+    splitString
+    unique
+    ;
+
+  /*
+    Fuses a list of attribute sets into a single attribute set.
+
+    Type: [attrs] -> attrs
+
+     Example:
+       x = [ { a = 1; } { b = 2; } ]
+       fuseAttrs x
+       => { a = 1; b = 2; }
+  */
+  fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
+
+  fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
+
+  /*
+    Applies a function to `attrsList` before fusing the resulting list
+    of attribute sets.
+
+    Type: ('a -> attrs) -> ['a] -> attrs
+
+    Example:
+     x = [ "to" "ta" "ti" ]
+     f = s: { ${s} = s + s; }
+     mapFuse f x
+     => { to = "toto"; ta = "tata"; ti = "titi"; }
+  */
+  mapFuse =
+    # 'a -> attrs
+    f:
+    # ['a]
+    attrsList:
+    fuseAttrs (builtins.map f attrsList);
+
+  /*
+    Equivalent of lib.singleton but for an attribute set.
+
+    Type: str -> 'a -> attrs
+
+     Example:
+       singleAttr "a" 1
+       => { a = 1; }
+  */
+  singleAttr = name: value: { ${name} = value; };
+
+  # Enables a list of modules.
+  enableAttrs' =
+    enable:
+    mapFuse (m: {
+      ${m}.${enable} = true;
+    });
+
+  enableModules = enableAttrs' "enable";
+
+  /*
+    Create an attribute set from a list of values, mapping those
+    values through the function `f`.
+
+    Example:
+     mapSingleFuse (x: "val-${x}") [ "a" "b" ]
+     => { a = "val-a"; b = "val-b" }
+  */
+  mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
+
+  /*
+    Creates a relative path as a string
+
+    Type: path -> str -> path
+
+     Example:
+       mkRel /home/test/ "file.txt"
+       => "/home/test/file.txt"
+  */
+  mkRel = path: file: path + "/${file}";
+
+  setDefault =
+    default:
+    mapFuse (name: {
+      ${name} = default;
+    });
+
+  mkBaseSecrets =
+    root:
+    mapFuse (secret: {
+      ${secret}.file = mkRel root secret;
+    });
+
+  getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
+
+  subAttr = attrs: name: attrs.${name};
+
+  subAttrs = attrs: builtins.map (subAttr attrs);
+
+  optionalList = _optional [ ];
+
+  optionalAttrs = _optional { };
+
+  optionalString = _optional "";
+  /*
+    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
+    sets together.
+
+    Type: [attrs] -> attrs
+  */
+  recursiveFuse = builtins.foldl' recursiveUpdate { };
+
+  mkImport =
+    root: file:
+    let
+      path = mkRel root file;
+    in
+    path + (optionalString (!(builtins.pathExists path)) ".nix");
+
+  mkImports = root: builtins.map (mkImport root);
+
+  /*
+    Creates a confugiration by merging enabled modules,
+    services and extraConfig.
+
+    Example:
+     mkConfig {
+       enabledModules = [ "ht-defaults" ];
+       enabledServices = [ "toto" ];
+       extraConfig = { services.nginx.enable = true; };
+       root = ./.;
+     }
+     =>
+     {
+       imports = [ ./toto ];
+       ht-defaults.enable = true;
+       services.nginx.enable = true;
+     }
+  */
+  mkConfig =
+    {
+      # List of modules to enable with `enableModules`
+      enabledModules,
+      # List of services to import
+      enabledServices,
+      # Extra configuration, defaults to `{ }`
+      extraConfig ? { },
+      # Path relative to which the enabled services will be imported
+      root,
+    }:
+    recursiveFuse [
+      (enableModules enabledModules)
+
+      {
+        imports =
+          (extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
+      }
+
+      (removeAttrs extraConfig [ "imports" ])
+    ];
+}
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -0,0 +1,416 @@
+###
+# Collection of nixpkgs library functions, those are necessary for defining our own lib
+#
+# They have been simplified and builtins are used in some places, instead of lib shims.
+
+rec {
+  /**
+    Does the same as the update operator '//' except that attributes are
+    merged until the given predicate is verified.  The predicate should
+    accept 3 arguments which are the path to reach the attribute, a part of
+    the first attribute set and a part of the second attribute set.  When
+    the predicate is satisfied, the value of the first attribute set is
+    replaced by the value of the second attribute set.
+
+    # Inputs
+
+    `pred`
+
+    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdateUntil` usage example
+
+    ```nix
+    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
+      # first attribute set
+      foo.bar = 1;
+      foo.baz = 2;
+      bar = 3;
+    } {
+      #second attribute set
+      foo.bar = 1;
+      foo.quz = 2;
+      baz = 4;
+    }
+
+    => {
+      foo.bar = 1; # 'foo.*' from the second set
+      foo.quz = 2; #
+      bar = 3;     # 'bar' from the first set
+      baz = 4;     # 'baz' from the second set
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdateUntil =
+    pred: lhs: rhs:
+    let
+      f =
+        attrPath:
+        builtins.zipAttrsWith (
+          n: values:
+          let
+            here = attrPath ++ [ n ];
+          in
+          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
+            builtins.head values
+          else
+            f here values
+        );
+    in
+    f [ ] [
+      rhs
+      lhs
+    ];
+
+  /**
+    A recursive variant of the update operator ‘//’.  The recursion
+    stops when one of the attribute values is not an attribute set,
+    in which case the right hand side value takes precedence over the
+    left hand side value.
+
+    # Inputs
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdate` usage example
+
+    ```nix
+    recursiveUpdate {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "/dev/hda";
+    } {
+      boot.loader.grub.device = "";
+    }
+
+    returns: {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "";
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdate =
+    lhs: rhs:
+    recursiveUpdateUntil (
+      _: lhs: rhs:
+      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
+    ) lhs rhs;
+
+  /**
+    Determine whether a string has given prefix.
+
+    # Inputs
+
+    `pref`
+    : Prefix to check for
+
+    `str`
+    : Input string
+
+    # Type
+
+    ```
+    hasPrefix :: string -> string -> bool
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.hasPrefix` usage example
+
+    ```nix
+    hasPrefix "foo" "foobar"
+    => true
+    hasPrefix "foo" "barfoo"
+    => false
+    ```
+
+    :::
+  */
+  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
+
+  /**
+    Escape occurrence of the elements of `list` in `string` by
+    prefixing it with a backslash.
+
+    # Inputs
+
+    `list`
+    : 1\. Function argument
+
+    `string`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    escape :: [string] -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escape` usage example
+
+    ```nix
+    escape ["(" ")"] "(foo)"
+    => "\\(foo\\)"
+    ```
+
+    :::
+  */
+  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
+
+  /**
+    Convert a string `s` to a list of characters (i.e. singleton strings).
+    This allows you to, e.g., map a function over each character.  However,
+    note that this will likely be horribly inefficient; Nix is not a
+    general purpose programming language. Complex string manipulations
+    should, if appropriate, be done in a derivation.
+    Also note that Nix treats strings as a list of bytes and thus doesn't
+    handle unicode.
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    stringToCharacters :: string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.stringToCharacters` usage example
+
+    ```nix
+    stringToCharacters ""
+    => [ ]
+    stringToCharacters "abc"
+    => [ "a" "b" "c" ]
+    stringToCharacters "🦄"
+    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
+    ```
+
+    :::
+  */
+  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
+
+  /**
+    Turn a string `s` into an exact regular expression
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    escapeRegex :: string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escapeRegex` usage example
+
+    ```nix
+    escapeRegex "[^a-z]*"
+    => "\\[\\^a-z]\\*"
+    ```
+
+    :::
+  */
+  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
+
+  /**
+    Appends string context from string like object `src` to `target`.
+
+    :::{.warning}
+    This is an implementation
+    detail of Nix and should be used carefully.
+    :::
+
+    Strings in Nix carry an invisible `context` which is a list of strings
+    representing store paths. If the string is later used in a derivation
+    attribute, the derivation will properly populate the inputDrvs and
+    inputSrcs.
+
+    # Inputs
+
+    `src`
+    : The string to take the context from. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    `target`
+    : The string to append the context to. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    # Type
+
+    ```
+    addContextFrom :: string -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.addContextFrom` usage example
+
+    ```nix
+    pkgs = import <nixpkgs> { };
+    addContextFrom pkgs.coreutils "bar"
+    => "bar"
+    ```
+
+    The context can be displayed using the `toString` function:
+
+    ```nix
+    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
+    {
+      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
+    }
+    ```
+
+    :::
+  */
+  addContextFrom = src: target: builtins.substring 0 0 src + target;
+
+  /**
+    Cut a string with a separator and produces a list of strings which
+    were separated by this separator.
+
+    # Inputs
+
+    `sep`
+    : 1\. Function argument
+
+    `s`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    splitString :: string -> string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.splitString` usage example
+
+    ```nix
+    splitString "." "foo.bar.baz"
+    => [ "foo" "bar" "baz" ]
+    splitString "/" "/usr/local/bin"
+    => [ "" "usr" "local" "bin" ]
+    ```
+
+    :::
+  */
+  splitString =
+    sep: s:
+    let
+      splits = builtins.filter builtins.isString (
+        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
+      );
+    in
+    builtins.map (addContextFrom s) splits;
+
+  /**
+    Remove duplicate elements from the `list`. O(n^2) complexity.
+
+    # Inputs
+
+    `list`
+
+    : Input list
+
+    # Type
+
+    ```
+    unique :: [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.unique` usage example
+
+    ```nix
+    unique [ 3 2 3 4 ]
+    => [ 3 2 4 ]
+    ```
+
+    :::
+  */
+  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
+
+  /**
+    Flip the order of the arguments of a binary function.
+
+    # Inputs
+
+    `f`
+
+    : 1\. Function argument
+
+    `a`
+
+    : 2\. Function argument
+
+    `b`
+
+    : 3\. Function argument
+
+    # Type
+
+    ```
+    flip :: (a -> b -> c) -> (b -> a -> c)
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.trivial.flip` usage example
+
+    ```nix
+    flip concat [1] [2]
+    => [ 2 1 ]
+    ```
+
+    :::
+  */
+  flip =
+    f: a: b:
+    f b a;
+}
--- a/lib/nix-patches/default.nix
+++ b/lib/nix-patches/default.nix
@ -0,0 +1,110 @@
+# Copyright Tom Hubrecht, (2023-2024)
+#
+# Tom Hubrecht <tom@hubrecht.ovh>
+#
+# This software is governed by the CeCILL  license under French law and
+# abiding by the rules of distribution of free software.  You can  use,
+# modify and/ or redistribute the software under the terms of the CeCILL
+# license as circulated by CEA, CNRS and INRIA at the following URL
+# "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and  rights to copy,
+# modify and redistribute granted by the license, users are provided only
+# with a limited warranty  and the software's author,  the holder of the
+# economic rights,  and the successive licensors  have only  limited
+# liability.
+#
+# In this respect, the user's attention is drawn to the risks associated
+# with loading,  using,  modifying and/or developing or reproducing the
+# software by the user in light of its specific status of free software,
+# that may mean  that it is complicated to manipulate,  and  that  also
+# therefore means  that it is reserved for developers  and  experienced
+# professionals having in-depth computer knowledge. Users are therefore
+# encouraged to load and test the software's suitability as regards their
+# requirements in conditions enabling the security of their systems and/or
+# data to be ensured and,  more generally, to use and operate it in the
+# same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had
+# knowledge of the CeCILL license and that you accept its terms.
+
+{
+  patchFile,
+  excludeGitHubManual ? true,
+  fetchers ? { },
+}:
+
+rec {
+  base =
+    { pkgs }:
+    rec {
+      mkUrlPatch =
+        attrs:
+        pkgs.fetchpatch (
+          {
+            hash = pkgs.lib.fakeHash;
+          }
+          // attrs
+          // (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
+            excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
+          })
+        );
+
+      mkGitHubPatch =
+        { id, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "id" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
+          }
+        );
+
+      mkCommitPatch =
+        { sha, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "sha" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
+          }
+        );
+
+      patchFunctions = {
+        commit = mkCommitPatch;
+        github = mkGitHubPatch;
+        remote = pkgs.fetchpatch;
+        static = attrs: attrs.path;
+        url = mkUrlPatch;
+      } // fetchers;
+
+      mkPatch =
+        {
+          _type ? "github",
+          ...
+        }@attrs:
+        if builtins.hasAttr _type patchFunctions then
+          patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
+        else
+          throw "Unknown patch type: ${builtins.toString _type}.";
+
+      mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
+
+      applyPatches =
+        {
+          src,
+          name,
+          patches ? mkPatches name,
+        }:
+        if patches == [ ] then
+          src
+        else
+          pkgs.applyPatches {
+            inherit patches src;
+
+            name = "${name}-patched";
+          };
+
+      applyPatches' = name: src: applyPatches { inherit name src; };
+    };
+
+  mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
+}
--- a/liminix-rebuild.nix
+++ b/liminix-rebuild.nix
@ -1 +0,0 @@
-{ liminix-system }: (import ./liminix-hive.nix { }).${liminix-system}.primary
--- a/machines/ap01/_configuration.nix
+++ b/machines/ap01/_configuration.nix
@ -1,259 +0,0 @@
-{
-  config,
-  pkgs,
-  modulesPath,
-  ...
-}:
-let
-  inherit (pkgs.liminix.services) oneshot;
-  inherit (pkgs.pseudofile) symlink dir;
-  inherit (pkgs) serviceFns;
-  svc = config.system.service;
-  secrets-1 = {
-    ssid = "DGNum 2G prototype (N)";
-  };
-  secrets-2 = {
-    ssid = "DGNum 5G prototype (AX)";
-  };
-  baseParams = {
-    country_code = "FR";
-    hw_mode = "g";
-    channel = 6;
-    wmm_enabled = 1;
-    ieee80211n = 1;
-    ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
-    auth_algs = 1;
-    wpa = 2;
-    wpa_pairwise = "TKIP CCMP";
-    rsn_pairwise = "CCMP";
-  };
-
-  radiusKeyMgmt = {
-    wpa_key_mgmt = "WPA-EAP";
-  };
-
-  modernParams = {
-    hw_mode = "a";
-    he_su_beamformer = 1;
-    he_su_beamformee = 1;
-    he_mu_beamformer = 1;
-    preamble = 1;
-    # Allow radar detection.
-    ieee80211d = 1;
-    ieee80211h = 1;
-    ieee80211ac = 1;
-    ieee80211ax = 1;
-    vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
-    vht_oper_chwidth = 1;
-    he_oper_chwidth = 1;
-    channel = 36;
-    vht_oper_centr_freq_seg0_idx = 42;
-    he_oper_centr_freq_seg0_idx = 42;
-    require_vht = 1;
-  };
-
-  clientRadius = {
-    ieee8021x = 1;
-    eapol_version = 2;
-    use_pae_group_addr = 1;
-    dynamic_vlan = 0;
-    vlan_tagged_interface = "lan";
-  };
-
-  externalRadius = {
-    # TODO: when we have proper IPAM, set the right value here.
-    own_ip_addr = "127.0.0.1";
-    nas_identifier = "ap01.dgnum.eu";
-
-    # No DNS here, hostapd do not support this mode.
-    auth_server_addr = "129.199.195.129";
-    auth_server_port = 1812;
-    auth_server_shared_secret = "read it online";
-  };
-
-  mkWifiSta =
-    params: interface: secrets:
-    svc.hostapd.build {
-      inherit interface;
-      package = pkgs.hostapd-radius;
-      params = params // secrets;
-      dependencies = [ config.services.jitter ];
-    };
-in
-rec {
-  imports = [
-    "${modulesPath}/wlan.nix"
-    "${modulesPath}/network"
-    "${modulesPath}/dhcp6c"
-    "${modulesPath}/hostapd"
-    "${modulesPath}/ssh"
-    "${modulesPath}/ntp"
-    "${modulesPath}/vlan"
-    "${modulesPath}/bridge"
-    "${modulesPath}/jitter-rng"
-    "${modulesPath}/pki"
-    "${modulesPath}/ubus"
-    ../../modules/dgn-access-control.nix
-    # TODO: god that's so a fucking hack.
-    (import "${modulesPath}/../devices/zyxel-nwa50ax").module
-  ];
-
-  hostname = "ap01-prototype";
-
-  # Get moar random please
-  services.jitter = svc.jitter-rng.build { };
-  services.ubus = svc.ubus.build { };
-
-  # SSH keys are handled by the access control module.
-  dgn-access-control.enable = true;
-  users.root = {
-    passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
-  };
-
-  services.int = svc.bridge.primary.build {
-    ifname = "int";
-    macAddressFromInterface = config.hardware.networkInterfaces.lan;
-  };
-
-  services.bridge = svc.bridge.members.build {
-    primary = services.int;
-    members = {
-      lan.member = config.hardware.networkInterfaces.lan;
-      wlan0 = {
-        member = config.hardware.networkInterfaces.wlan0;
-        # Bridge only once hostapd is ready.
-        dependencies = [ config.services.hostap-1-ready ];
-      };
-      wlan1 = {
-        member = config.hardware.networkInterfaces.wlan1;
-        # Bridge only once hostapd is ready.
-        dependencies = [ config.services.hostap-2-ready ];
-      };
-    };
-  };
-
-  services.resolvconf = oneshot rec {
-    name = "resolvconf";
-    up = ''
-      . ${serviceFns}
-      ( in_outputs ${name}
-      for i in $(output ${services.dhcpv4} dns); do
-        echo "nameserver $i" >> resolv.conf
-      done
-      )
-    '';
-
-    dependencies = [
-      config.services.dhcpv4
-    ];
-  };
-
-  filesystem = dir {
-    etc = dir {
-      "resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
-      "nixpkgs.version" = {
-        type = "f";
-        file = "${pkgs.lib.version}";
-        mode = "0444";
-      };
-    };
-  };
-
-  services.dhcpv4 = svc.network.dhcp.client.build {
-    interface = config.services.int;
-    dependencies = [
-      config.services.hostname
-      config.services.bridge.components.lan
-    ];
-  };
-
-  # TODO(raito): these won't work with RAs
-  # fix them in Liminix directly and re-enable.
-  # services.dhcpv6 = svc.dhcp6c.client.build {
-  #   interface = config.services.int;
-  #   dependencies = [
-  #     config.services.hostname
-  #     config.services.bridge
-  #   ];
-  # };
-
-  # services.ipv6 = svc.dhcp6c.address.build {
-  #   interface = config.services.int;
-  #   client = config.services.dhcpv6;
-  #   dependencies = [ config.services.hostname ];
-  # };
-
-  services.defaultroute4 = svc.network.route.build {
-    via = "$(output ${services.dhcpv4} router)";
-    target = "default";
-    dependencies = [ services.dhcpv4 ];
-  };
-
-  services.packet_forwarding = svc.network.forward.build { };
-  services.sshd = svc.ssh.build { allowRoot = true; };
-
-  services.ntp = config.system.service.ntp.build {
-    pools = {
-      "pool.ntp.org" = [ "iburst" ];
-    };
-
-    dependencies = [ config.services.jitter ];
-  };
-
-  boot.tftp = {
-    serverip = "192.0.2.10";
-    ipaddr = "192.0.2.12";
-  };
-
-  # wlan0 is the 2.4GHz interface.
-  services.hostap-1 = mkWifiSta (
-    baseParams // radiusKeyMgmt
-  ) config.hardware.networkInterfaces.wlan0 secrets-1;
-  services.hostap-1-ready = svc.hostapd-ready.build {
-    interface = config.hardware.networkInterfaces.wlan0;
-  };
-  # wlan1 is the 5GHz interface, e.g. AX capable.
-  services.hostap-2 = mkWifiSta (
-    baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
-  ) config.hardware.networkInterfaces.wlan1 secrets-2;
-  # Oneshot that waits until the hostapd has set the interface in operational state.
-  services.hostap-2-ready = svc.hostapd-ready.build {
-    interface = config.hardware.networkInterfaces.wlan1;
-  };
-
-  defaultProfile.packages = with pkgs; [
-    zyxel-bootconfig
-    min-collect-garbage
-    iwinfo
-    ifwait
-    # Levitate enable us to mass-reinstall the system on the fly.
-    (levitate.override {
-      config = {
-        imports = [
-          "${modulesPath}/network"
-          "${modulesPath}/ssh"
-          "${modulesPath}/hardware.nix"
-          "${modulesPath}/kernel"
-          "${modulesPath}/outputs/tftpboot.nix"
-          "${modulesPath}/outputs.nix"
-        ];
-        services = {
-          # Simplest DHCPv4 we can find.
-          dhcpv4 = svc.network.dhcp.client.build {
-            interface = config.hardware.networkInterfaces.lan;
-          };
-          inherit (config.services) sshd;
-          defaultroute4 = svc.network.route.build {
-            via = "$(output ${services.dhcpv4} router)";
-            target = "default";
-            dependencies = [ config.services.dhcpv4 ];
-          };
-        };
-
-        defaultProfile.packages = [ mtdutils ];
-        # Only keep root, which should inherit from DGN access control's root permissions.
-        users.root = config.users.root;
-      };
-    })
-  ];
-}
--- a/machines/ap01/_hardware-configuration.nix
+++ b/machines/ap01/_hardware-configuration.nix
@ -1 +0,0 @@
-{ }
--- a/machines/bridge01/_configuration.nix
+++ b/machines/bridge01/_configuration.nix
@ -0,0 +1,20 @@
+{ lib, pkgs, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "network"
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+
+    environment.systemPackages = [ pkgs.bcachefs-tools ];
+  };
+
+  root = ./.;
+}
--- a/machines/bridge01/_hardware-configuration.nix
+++ b/machines/bridge01/_hardware-configuration.nix
@ -0,0 +1,53 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ehci_pci"
+        "ahci"
+        "sd_mod"
+        "sr_mod"
+      ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    supportedFilesystems.bcachefs = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
+      fsType = "bcachefs";
+      options = [ "compression=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/4D0A-AF11";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/machines/bridge01/network.nix
+++ b/machines/bridge01/network.nix
@ -0,0 +1,79 @@
+_:
+
+{
+  networking = {
+    useNetworkd = true;
+    useDHCP = false;
+
+    nftables.enable = true;
+    firewall.allowedUDPPorts = [ 67 ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-eno1" = {
+        name = "eno1";
+        networkConfig = {
+          VLAN = [
+            "vlan-admin"
+            "vlan-uplink-oob"
+          ];
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+        # address = [ "192.168.222.1/24" ];
+      };
+
+      "10-vlan-admin" = {
+        name = "vlan-admin";
+        # DHCP for the BMC
+        networkConfig.DHCPServer = "yes";
+
+        dhcpServerConfig = {
+          PoolOffset = 128;
+          EmitDNS = false;
+          EmitNTP = false;
+          EmitSIP = false;
+          EmitPOP3 = false;
+          EmitSMTP = false;
+          EmitLPR = false;
+          UplinkInterface = ":none";
+        };
+
+        address = [
+          "fd26:baf9:d250:8000::ffff/64"
+          "192.168.222.1/24"
+        ];
+      };
+
+      "10-vlan-uplink-oob" = {
+        name = "vlan-uplink-oob";
+        networkConfig.DHCP = "ipv4";
+      };
+    };
+
+    netdevs = {
+      "10-vlan-admin" = {
+        netdevConfig = {
+          Name = "vlan-admin";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 3000;
+      };
+
+      "10-vlan-uplink-oob" = {
+        netdevConfig = {
+          Name = "vlan-uplink-oob";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 500;
+      };
+    };
+  };
+}
--- a/machines/bridge01/secrets/secrets.nix
+++ b/machines/bridge01/secrets/secrets.nix
@ -0,0 +1,3 @@
+(import ../../../keys).mkSecrets [ "bridg01" ] [
+  # List of secrets for bridge01
+]
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -1,17 +1,19 @@
 { lib, ... }:

 lib.extra.mkConfig {
+  # List of modules to enable
  enabledModules = [
-    # List of modules to enable
+    # INFO: This list needs to stay sorted alphabetically
    "dgn-backups"
-    "dgn-fail2ban"
+    "dgn-chatops"
    "dgn-web"
  ];

+  # List of services to enable
  enabledServices = [
-    # List of services to enable
+    # INFO: This list needs to stay sorted alphabetically
    "arkheon"
-    "signal-irc-bridge"
+    "dgsi"
    "ds-fr"
    "grafana"
    "hedgedoc"
@ -19,24 +21,22 @@ lib.extra.mkConfig {
    "librenms"
    "mastodon"
    "nextcloud"
+    "ollama-proxy"
    "outline"
    "plausible"
    "postgresql"
    "rstudio-server"
    "satosa"
+    "signal-irc-bridge"
    "signald"
    "stirling-pdf"
+    "takumi"
    "telegraf"
    "vaultwarden"
    "zammad"
  ];

  extraConfig = {
-    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
-      "sshd-bruteforce"
-      "sshd-timeout"
-    ];
-
    dgn-hardware.useZfs = true;

    services.netbird.enable = true;
--- a/machines/compute01/dgsi/default.nix
+++ b/machines/compute01/dgsi/default.nix
@ -0,0 +1,222 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  sources,
+  ...
+}:
+
+let
+  inherit (lib) toLower;
+
+  python =
+    let
+      python3 = pkgs.python312;
+      nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
+    in
+    python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-allauth
+          django-allauth-cas
+          django-browser-reload
+          django-bulma-forms
+          django-sass-processor
+          django-sass-processor-dart-sass
+          django-unfold
+          pykanidm
+          python-cas
+          loadcredential
+          xlwt
+          ;
+      };
+    };
+
+  pythonEnv = python.withPackages (
+    ps:
+    [
+      ps.django
+      ps.gunicorn
+      ps.psycopg
+      ps.django-compressor
+      ps.django-import-export
+
+      # Local packages
+      ps.django-allauth
+      ps.django-allauth-cas
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-sass-processor
+      ps.django-sass-processor-dart-sass
+      ps.django-unfold
+      ps.loadcredential
+      ps.pykanidm
+      ps.python-cas
+    ]
+    ++ ps.django-allauth.optional-dependencies.saml
+  );
+
+  staticDrv = pkgs.stdenv.mkDerivation {
+    name = "dgsi-static";
+
+    src = sources.dgsi;
+    sourceRoot = "source/src";
+
+    nativeBuildInputs = [
+      pkgs.dart-sass
+      pythonEnv
+    ];
+
+    configurePhase = ''
+      export DGSI_STATIC_ROOT=$out/static
+      export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
+      export DGSI_KANIDM_CLIENT="dgsi_test"
+      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
+      export DGSI_X509_KEY=""
+      export DGSI_X509_CERT=""
+    '';
+
+    doBuild = false;
+
+    installPhase = ''
+      mkdir -p $out/static
+      python3 manage.py compilescss
+      python3 manage.py collectstatic
+    '';
+  };
+in
+
+{
+  users = {
+    users.nginx.extraGroups = [ "django-apps" ];
+    groups.django-apps = { };
+  };
+
+  systemd = {
+    services = {
+      dj-dgsi = {
+        description = "DGSI web app";
+
+        requires = [ "dj-dgsi.socket" ];
+        wantedBy = [ "multi-user.target" ];
+        after = [
+          "network.target"
+          "postgresql.service"
+        ];
+
+        serviceConfig = {
+          DynamicUser = true;
+          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
+            "EMAIL_HOST_PASSWORD"
+            "KANIDM_AUTH_TOKEN"
+            "KANIDM_SECRET"
+            "SECRET_KEY"
+            "X509_CERT"
+            "X509_KEY"
+          ];
+          RuntimeDirectory = "django-apps/dgsi";
+          StateDirectory = "django-apps/dgsi";
+          UMask = "0027";
+          User = "dj-dgsi";
+          Group = "django-apps";
+          WorkingDirectory = sources.dgsi;
+          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
+          KillMode = "mixed";
+          Type = "notify";
+          ExecStart = utils.escapeSystemdExecArgs [
+            (lib.getExe' pythonEnv "gunicorn")
+            "--workers"
+            4
+            "--bind"
+            "unix:/run/django-apps/dgsi.sock"
+            "--pythonpath"
+            "src"
+            "app.wsgi"
+          ];
+        };
+
+        environment = {
+          DGSI_ALLOWED_HOSTS = builtins.toJSON [
+            "profil.dgnum.eu"
+            "dgsi.dgnum.eu"
+          ];
+
+          DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
+          DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
+          DGSI_EMAIL_USE_SSL = builtins.toJSON true;
+          DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
+          DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
+
+          DGSI_KANIDM_CLIENT = "dgsi";
+          DGSI_KANIDM_URI = "https://sso.dgnum.eu";
+
+          DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
+          DGSI_STATIC_ROOT = "${staticDrv}/static";
+
+          DGSI_DATABASES = builtins.toJSON {
+            default = {
+              ENGINE = "django.db.backends.postgresql";
+              NAME = "dj-dgsi";
+            };
+          };
+          DJANGO_SETTINGS_MODULE = "app.settings";
+        };
+
+        path = [ pythonEnv ];
+
+        preStart = ''
+          python3 src/manage.py migrate --no-input
+        '';
+      };
+    };
+
+    sockets."dj-dgsi" = {
+      description = "Socket for the DGSI Django Application";
+      wantedBy = [ "sockets.target" ];
+
+      socketConfig = {
+        ListenStream = "/run/django-apps/dgsi.sock";
+        SocketMode = "600";
+        SocketUser = config.services.nginx.user;
+      };
+    };
+
+    mounts = [
+      {
+        where = "/run/django-apps/dgsi/media";
+        what = "/var/lib/django-apps/dgsi/media";
+        options = "bind";
+
+        after = [ "dj-dgsi.service" ];
+        partOf = [ "dj-dgsi.service" ];
+        upheldBy = [ "dj-dgsi.service" ];
+      }
+    ];
+  };
+
+  dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
+
+  services = {
+    postgresql = {
+      ensureDatabases = [ "dj-dgsi" ];
+      ensureUsers = [
+        {
+          name = "dj-dgsi";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    nginx.virtualHosts."profil.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations = {
+        "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
+        "/static/".root = staticDrv;
+        "/media/".root = "/run/django-apps/dgsi";
+      };
+    };
+  };
+}
--- a/machines/compute01/ds-fr/default.nix
+++ b/machines/compute01/ds-fr/default.nix
@ -1,14 +1,35 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  sources,
+  ...
+}:

 let
  host = "demarches.dgnum.eu";
+
+  dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
 in
 {
  imports = [ ./module.nix ];

+  dgn-web.internalPorts.ds-fr = 3000;
+
  services.demarches-simplifiees = {
    enable = true;

+    package =
+      ((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
+        initialDeploymentDate = "20230923";
+      }).overrideAttrs
+        (old: {
+          dsModules = old.dsModules.overrideAttrs {
+            prePatch = ''
+              ${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
+            '';
+          };
+        });
+
    secretFile = config.age.secrets."ds-fr-secret_file".path;

    initialDeploymentDate = "20230923";
--- a/machines/compute01/grafana.nix
+++ b/machines/compute01/grafana.nix
@ -69,17 +69,11 @@ in
        }
      ];
    };
+  };

-    nginx.virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-    };
+  dgn-web.simpleProxies.grafana = {
+    inherit host port;
+    proxyWebsockets = true;
  };

  age-secrets.autoMatch = [ "grafana" ];
--- a/machines/compute01/hedgedoc.nix
+++ b/machines/compute01/hedgedoc.nix
@ -29,16 +29,6 @@ in
      };
    };

-    nginx.virtualHosts.${host} = {
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
-      };
-    };
-
    postgresql = {
      enable = true;

@ -53,6 +43,11 @@ in
    };
  };

+  dgn-web.simpleProxies.hedgedoc = {
+    inherit host port;
+    proxyWebsockets = true;
+  };
+
  systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
    "hedgedoc"
    "hedgedoc/uploads"
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@ -1,14 +1,23 @@
 {
  config,
  lib,
+  meta,
  nixpkgs,
  ...
 }:

 let
-  inherit (lib) escapeRegex concatStringsSep;
+  inherit (lib)
+    attrValues
+    catAttrs
+    escapeRegex
+    concatStringsSep
+    mapAttrs'
+    nameValuePair
+    ;

  domain = "sso.dgnum.eu";
+  port = 8443;

  cert = config.security.acme.certs.${domain};

@ -27,6 +36,8 @@ let
      "netbird-beta.hubrecht.ovh"
    ]
  );
+
+  usernameFor = member: meta.organization.members.${member}.username;
 in
 {
  services.kanidm = {
@ -39,7 +50,7 @@ in

      origin = "https://${domain}";

-      bindaddress = "127.0.0.1:8443";
+      bindaddress = "127.0.0.1:${builtins.toString port}";
      ldapbindaddress = "0.0.0.0:636";

      trust_x_forward_for = true;
@ -47,10 +58,113 @@ in
      tls_chain = "${cert.directory}/fullchain.pem";
      tls_key = "${cert.directory}/key.pem";
    };
+
+    provision = {
+      enable = true;
+
+      persons = mapAttrs' (
+        _:
+        {
+          email,
+          name,
+          username,
+          ...
+        }:
+        nameValuePair username {
+          displayName = name;
+          mailAddresses = [ email ];
+        }
+      ) meta.organization.members;
+
+      groups =
+        {
+          grp_active.members = catAttrs "username" (attrValues meta.organization.members);
+        }
+        // (mapAttrs' (
+          name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
+        ) meta.organization.groups);
+
+      # INFO: The authentication resources declared here can only be for internal services,
+      #       as regular members cannot be statically known.
+      systems.oauth2 = {
+        dgn_grafana = {
+          displayName = "Grafana [Analysis]";
+          originLanding = "https://grafana.dgnum.eu";
+          originUrl = "https://grafana.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_librenms = {
+          allowInsecureClientDisablePkce = true;
+          displayName = "LibreNMS [Network]";
+          enableLegacyCrypto = true;
+          originLanding = "https://nms.dgnum.eu";
+          originUrl = "https://nms.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_netbird = {
+          displayName = "Netbird [VPN]";
+          enableLocalhostRedirects = true;
+          originLanding = "https://netbird.dgnum.eu";
+          originUrl = "https://netbird.dgnum.eu/";
+          preferShortUsername = true;
+          public = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_netbox = {
+          allowInsecureClientDisablePkce = true;
+          displayName = "Netbox [Inventory]";
+          enableLegacyCrypto = true;
+          originLanding = "https://netbox.dgnum.eu";
+          originUrl = "https://netbox.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_outline = {
+          displayName = "Outline [Docs]";
+          originUrl = "https://docs.dgnum.eu/";
+          originLanding = "https://docs.dgnum.eu";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+      };
+    };
  };

  users.users.kanidm.extraGroups = [ cert.group ];

+  dgn-web.internalPorts.kanidm = port;
+
  services.nginx = {
    enable = true;

@ -58,7 +172,7 @@ in
      enableACME = true;
      forceSSL = true;
      locations."/" = {
-        proxyPass = "https://127.0.0.1:8443";
+        proxyPass = "https://127.0.0.1:${builtins.toString port}";

        extraConfig = ''
          if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
--- a/machines/compute01/kanidm/secrets/secrets.nix
+++ b/machines/compute01/kanidm/secrets/secrets.nix
@ -1,9 +1,4 @@
-let
-  lib = import ../../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../../keys).mkSecrets [ "compute01" ] [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/compute01/nextcloud.nix
+++ b/machines/compute01/nextcloud.nix
@ -3,28 +3,24 @@
 let
  host = "cloud.dgnum.eu";
  nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
+
+  port = 9980;
 in
 {
  services.nextcloud = {
    enable = true;
    hostName = host;

-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud29;

    https = true;

    config = {
-      overwriteProtocol = "https";
-
      dbtype = "pgsql";

      adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
      adminuser = "thubrecht";

-      defaultPhoneRegion = "FR";
-
-      trustedProxies = [ "::1" ];
-
      objectstore.s3 = {
        enable = true;

@ -61,7 +57,7 @@ in
      "opcache.max_accelerated_files" = "10000";
      "opcache.memory_consumption" = "128";
      "opcache.revalidate_freq" = "1";
-      "opcache.fast_shutdown" = "1";
+      "opcache.fast_shutdown" = "0";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      catch_workers_output = "yes";
    };
@ -71,11 +67,17 @@ in

    autoUpdateApps.enable = true;

-    extraOptions = {
+    settings = {
+      overwriteprotocol = "https";
+
      overwritehost = host;
      "overwrite.cli.url" = "https://${host}";
      updatechecker = false;

+      default_phone_region = "FR";
+
+      trusted_proxies = [ "::1" ];
+
      allow_local_remote_servers = true;
      maintenance_window_start = 1;

@ -97,22 +99,20 @@ in
  };

  virtualisation.oci-containers = {
-    # # Since 22.05, the default driver is podman but it doesn't work
-    # # with podman. It would however be nice to switch to podman.
-    # backend = "docker";
    containers.collabora = {
      image = "collabora/code";
      imageFile = pkgs.dockerTools.pullImage {
        imageName = "collabora/code";
-        imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
-        sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
+        imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
+        sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
      };
-      ports = [ "9980:9980" ];
+      ports = [ "${builtins.toString port}:${builtins.toString port}" ];
      environment = {
        domain = "cloud.dgnum.eu";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
      };
      extraOptions = [
+        "--network=host"
        "--cap-add"
        "MKNOD"
        "--cap-add"
@ -121,6 +121,8 @@ in
    };
  };

+  dgn-web.internalPorts.collabora = port;
+
  services.nginx.virtualHosts = {
    ${host} = {
      enableACME = true;
@ -138,25 +140,25 @@ in
      extraConfig = ''
        # static files
        location ^~ /browser {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # WOPI discovery URL
        location ^~ /hosting/discovery {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # Capabilities
        location ^~ /hosting/capabilities {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # main websocket
        location ~ ^/cool/(.*)/ws$ {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
@ -165,13 +167,13 @@ in

        # download, presentation and image upload
        location ~ ^/(c|l)ool {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # Admin Console websocket
        location ^~ /cool/adminws {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
--- a/machines/compute01/ollama-proxy.nix
+++ b/machines/compute01/ollama-proxy.nix
@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  services.nginx = {
+    virtualHosts."ollama01.beta.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://100.80.103.206:11434";
+        basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
+          raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
+        '';
+      };
+    };
+  };
+}
--- a/machines/compute01/outline.nix
+++ b/machines/compute01/outline.nix
@ -2,6 +2,7 @@

 let
  host = "docs.dgnum.eu";
+  port = 3003;
 in
 {
  services.outline = {
@ -35,21 +36,12 @@ in
    defaultLanguage = "fr_FR";

    forceHttps = false;
-    port = 3003;
+    inherit port;
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://localhost:3003";
-      proxyWebsockets = true;
-    };
-
-    locations."/robots.txt" = {
-      return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
-    };
+  dgn-web.simpleProxies.outline = {
+    inherit host port;
+    vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
  };

  age-secrets.autoMatch = [ "outline" ];
--- a/machines/compute01/plausible.nix
+++ b/machines/compute01/plausible.nix
@ -38,16 +38,7 @@ in
    };
  };

-  services.nginx = {
-    enable = true;
-
-    virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-      };
-    };
+  dgn-web.simpleProxies.plausible = {
+    inherit host port;
  };
 }
--- a/machines/compute01/satosa/default.nix
+++ b/machines/compute01/satosa/default.nix
@ -2,16 +2,15 @@

 let
  host = "saml-idp.dgnum.eu";
+  port = 8090;
 in
 {
-
  imports = [ ./module.nix ];

  services.satosa = {
    enable = true;

-    inherit host;
-    port = 8090;
+    inherit host port;

    envFile = config.age.secrets."satosa-env_file".path;

@ -148,9 +147,8 @@ in
    };
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
+  dgn-web.simpleProxies.satosa = {
+    inherit host port;
  };

  age-secrets.autoMatch = [ "satosa" ];
--- a/machines/compute01/satosa/module.nix
+++ b/machines/compute01/satosa/module.nix
@ -190,14 +190,6 @@ in
      };
    };

-    services.nginx = mkIf cfg.configureNginx {
-      enable = true;
-
-      virtualHosts.${cfg.host} = {
-        locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
-      };
-    };
-
    users.users.satosa = {
      isSystemUser = true;
      group = "satosa";
--- a/machines/compute01/secrets/dgsi-email_host_password_file
+++ b/machines/compute01/secrets/dgsi-email_host_password_file
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
+oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
+-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
+bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
+-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
+HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
+-> ssh-rsa krWCLQ
+k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
+re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
+eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
+AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
+DdkJAqSrNkHianC5MEGgpA
+-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
+C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
+-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
+iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
+-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
+uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
+-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
+xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
+-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
+5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
+-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
+HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
+--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
+ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ
--- a/machines/compute01/secrets/dgsi-kanidm_auth_token_file
+++ b/machines/compute01/secrets/dgsi-kanidm_auth_token_file
--- a/machines/compute01/secrets/dgsi-kanidm_secret_file
+++ b/machines/compute01/secrets/dgsi-kanidm_secret_file
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
+YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
+-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
+W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
+-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
+mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
+-> ssh-rsa krWCLQ
+QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
+UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
+1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
+oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
+8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
+cS3kE9LfNst2zBKHBGBOHQ
+-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
+ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
+-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
+SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
+-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
+HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
+-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
+n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
+-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
+Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
+-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
+zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
+-> l$R6Y:c1-grease
+MY0HS+ErZAtAhg
+--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
+7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqAÌ‡ì'ÍNò!{‹@qxÎ‹,ƒ+iTû
--- a/machines/compute01/secrets/dgsi-secret_key_file
+++ b/machines/compute01/secrets/dgsi-secret_key_file
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
+7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
+-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
+BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
+-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
+WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
+-> ssh-rsa krWCLQ
+GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
+fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
+j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
+MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
+tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
+gU32t9qy5EvTbzliWpAvxw
+-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
+mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
+-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
+QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
+-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
+E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
+-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
+x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
+-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
+TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
+-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
+SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
+-> `--grease N]PH
+fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
+7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
+--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
+:È/Àn	ž±Ý§¦p=fu²hã–T¶ÅêFÂ—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5Û¶Ã›
--- a/machines/compute01/secrets/dgsi-x509_cert_file
+++ b/machines/compute01/secrets/dgsi-x509_cert_file
--- a/machines/compute01/secrets/dgsi-x509_key_file
+++ b/machines/compute01/secrets/dgsi-x509_key_file
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -1,14 +1,16 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "compute01" ] [
+  # List of secrets for compute01
  "arkheon-env_file"
  "bupstash-put_key"
+  "dgsi-email_host_password_file"
+  "dgsi-kanidm_auth_token_file"
+  "dgsi-kanidm_secret_file"
+  "dgsi-secret_key_file"
+  "dgsi-x509_cert_file"
+  "dgsi-x509_key_file"
  "ds-fr-secret_file"
-  "grafana-smtp_password_file"
  "grafana-oauth_client_secret_file"
+  "grafana-smtp_password_file"
  "hedgedoc-environment_file"
  "librenms-database_password_file"
  "librenms-environment_file"
--- a/machines/compute01/secrets/signal-irc-bridge-config
+++ b/machines/compute01/secrets/signal-irc-bridge-config
@ -1,29 +1,29 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA amum6RbXOklYVgw9LbePC/FlJPJHLRT1peBvcD7+3xE
-xB0z2R0gERJNMQnuuWlMZBvwBLD/0Cb70rFrnYg7Xm0
-> ssh-ed25519 QlRB9Q 3+JuXBQQWcQbC2HsfO5FY+MQrSIpXJ1DBOpp9vHH7GY
-7IcedTCLy1clAfhlhfkkMcLLq1FNM1kugRgdnAkXeCY
-> ssh-ed25519 r+nK/Q fS289K4zpwTlcXaI1TrfmUTdatunytf3I/Yjh33PHQQ
-4n05isyZbYWQyyASL3FRiaL4IrliW+l5uxorfKgs1Es
+-> ssh-ed25519 jIXfPA Io/zqmrxU05V3yhgyGySW5f2hlQdBOqzXzv2I5x+nVs
+O5szAc5hiv4Kw+Xo90mhst3vGLqhtqSuaKxPTkCQCJw
+-> ssh-ed25519 QlRB9Q 9gQ+5aCcW+gi30S20om5+Zign9zXfgKlG9/59a2rdl4
+nXyckLZ6zNdG096GAPlK/gyold3XxOqeKB1Kiy/BCmI
+-> ssh-ed25519 r+nK/Q nctFMke6IvbEII3/Mq7wq9Cb30GO1yBqePJXdOFjExs
+fMEbZoSsvMiFS2wHD0RCcSqbigmFHCnhEagXDTYBIW8
 -> ssh-rsa krWCLQ
-dk+PWx2abIh09/6BNshqi6X7P4uqdlO8ofsBebYlQW8j7hwFTJ89ivERMq35h/6A
-6JT8R2QRpqT8HLYK21Wi3kDaiHF0H7KhHdXotTqCi4zFAqUFRKHs96dZsSgOePoL
-iJA7a/YHofpgjzZmNvc1ewLdmDD6+SnHXIzHfdHrFINUu2iRVDPwlyidOvRzJuGu
-OJv+KChAZ0l2RhQCH+dw5uzJZP6WKfoNhsupTtxLRlfb/gEWSUfahA85rWc5JvT4
-udw/oW3C7/hjiwKa8sd5XmxWz8BYut7OwTAFEXZCDSVuABjfUOKCF9IduTO3C8hP
-9fxCaztbhnCicDbTseP3rQ
-> ssh-ed25519 /vwQcQ 3NrE1YovFZCAdBv2jjGLkj07Auqyt1gBxP5zn0vXNkc
-hYIWVsJNiKIbMl7zg7Qlf/HqwZ49eQsFs/3pFH809K8
-> ssh-ed25519 0R97PA aw0rnvI6F3l/XA9SmK6I/mxDuVU7SD3jVcliix4u91Y
-TR+cZbyrengvbKF2jjhF42N+Iq7F3PMO71tc8e/Dy6s
-> ssh-ed25519 JGx7Ng k+FsCk0FCgwsIOICmyOwJhrbTgleVoiqopv4cY5fmHQ
-ZNCkfdStH2LqTiDTZ4VZIomsPw+S8PeSZpz/r088iAM
-> ssh-ed25519 5SY7Kg bN3Yr4E+74hi46Zn6eLknIxbhW7E+XGPGuF1I07h7EU
-UgX/w4B5iyJKXPcG4DCcM+vsZS/iGM8NFRS3F5qbif8
-> ssh-ed25519 p/Mg4Q U1UZZaCOZ/gpLC0wc+ltv6Gx0GsYucydBmlHwnZT00k
-Dod7IsbtLnX89ekJGoRevH5OLd/ztLD4bsz3mUiuoHU
-> ssh-ed25519 tDqJRg ydfBlrMl0PiStKGgxM48S2SFOQ+TdCU7WVkKoEne6W0
-WNRZAx3aKOq+/Cz7TGI6Eu1QN+hqZlPuscGBNkOJBhg
--- E6Fp2JAT9jd8jYWOtMWkH0BNqrafOxBzyRLdK5H1/CI
-,Ò|®<Û([Û‡ÐUå¥-ÙŽ‘`/ú:z õÀ§aØ2çu<C3A7>d"òB íÀ•°<E280A2>	Gž»ŒžJÈô$ë¼=ÿ£Eé&Î4tè<74>€¶§<C2B6>â¶÷v?g-º¦0!PCé¹S¹ból½nWf‹|:›ørm^éº•:¹ÎÊ\nOƒEc<45>Zé?‹°
4ŒÎ+W©X;
û=7j6!Å@«Ãœ)oœ¸Ì<C2B8>4Ø+ÞÑ÷/¯3òÊ¤-…;$aeµ‘Ûˆ¶jß¹²:=åféØª§ÀcŽJnžèÁû4Eø/_¬L€9³`Úò<C39A>Æðä³Ë:^:O<>ìp
H(Ð÷ <20>Äé‚ƒàÄ ¢~ÔÛû×,iùºÎk~&çùpÐ¼0ìÜçÖèòG¢e`Å<>Ï•Õq"šè!™r‹<72>Í²s 
-þô*«ý‘Ö®þ5
‰PÂ¿ºB¥.Ï\{wW<_E•)Rh
+i7lgxs2DFU6OYdR0wC9NBJAUrYOarTpIBu8JiQKKTymkGauTtpCkOgakEF7N/TLd
+1KFX6ww2lhmGwgi/4qYK5R21geqbLaogm5LsSrWgwI+nAqzAasD30i4MYWSfd1PS
+kewXfRmMOUc2feMN/FiLDlyxxdg3DQImEwwAUq3k4F7W7/ggi4qPKzqzGhlOG1kB
+Ma05hLsOhTVwbyRQzf9MFDUypYJ8KRsV5/rdxnGzTaJLlYbNoQpIG3lQZelggGpS
+N6f5kz0fHRkTqCrINJpmLVkvQDbNNDslsDcr86O0LEI7NPrBry5fUSxI+YOzCJCu
+3xnkIiYlcua2WGEXNd6vPQ
+-> ssh-ed25519 /vwQcQ L9OynFtsmYWQBB/PKHsJ4B2mdUFk8wkuPzaKBmvKERc
+LPHLANWrv90EFdF+cXEOFnOf1XaLWeyEDij+DYVrDJM
+-> ssh-ed25519 0R97PA 49YuJOzGjfLe8RixCtw8Z/EEngEGyNRQjb6sDXESQyM
+ICCw8XFpzJjZpOayDR6uoHqdv0vuEVg1uQyNrNONj8s
+-> ssh-ed25519 JGx7Ng fESc17fhVuC9dfNvDZKLq5EheYw+ufw0hpJqeDffxSE
+CWRV2wnZYh/bK5xgCDUASUmYMWSLbTXqnD1TFcbEHUU
+-> ssh-ed25519 5SY7Kg DgOrBwnV6Uxc5dMcNSR57HSgTW5DsG9Y9kcNYNevMGw
+W0HtwhGJ2jiU9jrfvGoEXthZ3ewxAL8ERNOUYSgWI1A
+-> ssh-ed25519 p/Mg4Q doo+f6eD3s2uoMwekzHcUFCsls8gNZjiI0Nyyd1sClA
+NZnBQy9PJeabIwp6N7D85sI/UbCIcC7FzQALoNOD5h0
+-> ssh-ed25519 tDqJRg tVVtvHVf/l4k+vr5A81tKTff49Rn1L1lrONq1DaGxDk
+vskCx+/l45iAtB8Mn6S9T7I0rKEGgesDfqBrrT0wewU
+--- HQzVXwtwdHyjKCBSbBOTiytzpLVc1eBCZZgW7sIgFEI
+9˜†%}‹/JÞ„U»cMä8É<38>ç™`®=%¿ÝîN}
è9tñœÇ§‰¡‹¨‰rî§°Œ}ˆ½KÿøžqøëO5GlùÑct’#"	Ò[Yw½e‰<65>_ûtˆ)f3Çòª´ÕGÊ2›¹j„Wý^ìr¹ôYa=ESÓ ýØ,<2C>“‘²Ú“rÐ_„£
ý8E ªª
Ž¬1çî•íÅ‡“sÂ<73>ü–¼<”µŸ‚£0QMU"Œ±Ú’ÅõõË†¬wSúœ4º=ï‰G(ˆ’º<<3C>?iZSW]Œ.pP93±zžl¸OSd·êS¯šçI8Äe×²·Ú7ÃUMù¯< ªº<C2AA>Ýžóì<>?îOc2Z¬Uº Ä•èc²Ã Ô—×7@ÄýôóŠò=¨Zæ™ihC“žXß”QŸcÉ¹[èo=kÏòñËÞL"ZÍ/uê´q
ÛGä›–çó
Ú[<5B>–ú,£«i×Ãäs<C3A4>Jÿ•=GBç~^€Ù'Aý´èÕ±©¹í*giÝ|Ý*ù’N·ÿŠË‘a]º˜áäši|áÔŽP'_(½±ÂQLŽØl„O 0ŠÈÛ´
+P94Ï¨äÛF½]³¡È{Öºeç4ý[McQu‚ÎÞî«¥JwÈƒ¼Ê“÷•ÁÛX@RÙÑÛŒú‰5M•Ý£‹V<E280B9>rjÇ—ó<E28094>„—½¢Ÿó7<C3B3>[¨8qÐb
--- a/machines/compute01/signal-irc-bridge.nix
+++ b/machines/compute01/signal-irc-bridge.nix
@ -7,12 +7,16 @@
 {
  imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];

-  systemd.services.signal-irc-bridge.serviceConfig = {
-    Group = "nginx";
-  };
  services.signal-irc-bridge = {
    enable = true;
    package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
    configFile = config.age.secrets."signal-irc-bridge-config".path;
  };
+
+  services.nginx.virtualHosts."bridge.dgnum.eu" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
+  };
+  users.users.nginx.extraGroups = [ "signal-irc" ];
 }
--- a/machines/compute01/stirling-pdf.nix
+++ b/machines/compute01/stirling-pdf.nix
@ -1,30 +0,0 @@
-{ nixpkgs, ... }:
-
-let
-  dgn-id = "57ac2e06a00384772bf63f055874ce2fefe4eb0a";
-in
-
-{
-  services.stirling-pdf = {
-    enable = true;
-
-    package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
-      patches = (old.patches or [ ]) ++ [
-        (builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
-      ];
-    });
-
-    domain = "pdf.dgnum.eu";
-    port = 8084;
-
-    nginx = {
-      enableACME = true;
-      forceSSL = true;
-    };
-
-    environment = {
-      UI_APP_NAME = "DGNum PDF";
-      SYSTEM_DEFAULT_LOCALE = "fr-FR";
-    };
-  };
-}
--- a/machines/compute01/stirling-pdf/01-spotless.patch
+++ b/machines/compute01/stirling-pdf/01-spotless.patch
@ -0,0 +1,35 @@
+diff --git a/build.gradle b/build.gradle
+index 78901d8e..3a14ceee 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -70,20 +70,6 @@ launch4j {
+   messagesInstanceAlreadyExists="Stirling-PDF is already running."
+ }
+ 
+-spotless {
+-    java {
+-        target project.fileTree('src/main/java')
+-
+-        googleJavaFormat('1.19.1').aosp().reorderImports(false)
+-
+-        importOrder('java', 'javax', 'org', 'com', 'net', 'io')
+-        toggleOffOn()
+-        trimTrailingWhitespace()
+-        indentWithSpaces()
+-        endWithNewline()
+-    }
+-}
+-
+ dependencies {
+     //security updates
+     implementation 'ch.qos.logback:logback-classic:1.5.3'
+@@ -171,9 +157,6 @@ dependencies {
+     annotationProcessor 'org.projectlombok:lombok:1.18.32'
+ }
+ 
+-tasks.withType(JavaCompile).configureEach {
+-    dependsOn 'spotlessApply'
+-}
+ compileJava {
+     options.compilerArgs << '-parameters'
+ }
--- a/machines/compute01/stirling-pdf/02-propsfile.patch
+++ b/machines/compute01/stirling-pdf/02-propsfile.patch
@ -0,0 +1,12 @@
+diff --git a/build.gradle b/build.gradle
+index 78901d8e..2e7ff96b 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -166,6 +166,7 @@ task writeVersion  {
+     def props = new Properties()
+     props.setProperty('version', version)
+     props.store(propsFile.newWriter(), null)
+    propsFile.text = propsFile.readLines().tail().join('\n')
+ }
+ 
+ swaggerhubUpload {
--- a/machines/compute01/stirling-pdf/03-jar-timestamps.patch
+++ b/machines/compute01/stirling-pdf/03-jar-timestamps.patch
@ -0,0 +1,16 @@
+diff --git a/build.gradle b/build.gradle
+index 2e7ff96b..f3a4a15c 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -21,6 +21,11 @@ repositories {
+     mavenCentral()
+ }
+ 
+tasks.withType(AbstractArchiveTask) {
+    preserveFileTimestamps = false
+    reproducibleFileOrder = true
+}
+
+ licenseReport {
+     renderers = [new JsonReportRenderer()]
+ }
--- a/machines/compute01/stirling-pdf/04-local-maven-deps.patch
+++ b/machines/compute01/stirling-pdf/04-local-maven-deps.patch
@ -0,0 +1,25 @@
+diff --git a/build.gradle b/build.gradle
+index f3a4a15c..61fbd74e 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -18,7 +18,7 @@ version = '0.26.1'
+ sourceCompatibility = '17'
+ 
+ repositories {
+-    mavenCentral()
+    maven { url '@deps@' }
+ }
+ 
+ tasks.withType(AbstractArchiveTask) {
+diff --git a/settings.gradle b/settings.gradle
+index f8139930..2c87f3cc 100644
+--- a/settings.gradle
+++ b/settings.gradle
+@@ -1 +1,7 @@
+pluginManagement {
+    repositories {
+        maven { url '@deps@' }
+    }
+}
+
+ rootProject.name = 'Stirling-PDF'
--- a/machines/compute01/stirling-pdf/05-java-output-test.patch
+++ b/machines/compute01/stirling-pdf/05-java-output-test.patch
@ -0,0 +1,22 @@
+diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+index cab78313..192922f3 100644
+--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
+         processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
+     }
+ 
+-    @Test
+    /* @Test
+     public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
+         // Mock the command to execute
+         List<String> command = new ArrayList<>();
+@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
+         // Check the exit code and output messages
+         assertEquals(0, result.getRc());
+         assertNotNull(result.getMessages()); // Check if messages are not null
+-    }
+    } */
+ 
+     @Test
+     public void testRunCommandWithOutputHandling_Error() {
--- a/machines/compute01/stirling-pdf/default.nix
+++ b/machines/compute01/stirling-pdf/default.nix
@ -0,0 +1,42 @@
+{ nixpkgs, ... }:
+
+let
+  ###
+  # How to update:
+  # - clone https://git.dgnum.eu/DGNum/Stirling-PDF
+  # - switch to the branch dgn-v0.X.Y where X.Y is the version in production
+  # - fetch upstream changes up to the tagged release in nixos-unstable
+  # - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
+  # - push to a new branch dgn-v0.A.B where A.B is the new version
+  # - finally, update the commit hash of the customization patch
+
+  dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
+  port = 8084;
+in
+
+{
+  dgn-web.internalPorts.stirling-pdf = port;
+
+  services.stirling-pdf = {
+    enable = true;
+
+    package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
+      patches = (old.patches or [ ]) ++ [
+        (builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
+      ];
+    });
+
+    domain = "pdf.dgnum.eu";
+    inherit port;
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    environment = {
+      UI_APP_NAME = "DGNum PDF";
+      SYSTEM_DEFAULT_LOCALE = "fr-FR";
+    };
+  };
+}
--- a/machines/compute01/takumi.nix
+++ b/machines/compute01/takumi.nix
@ -0,0 +1 @@
+_: { dgn-chatops.enable = true; }
--- a/machines/compute01/vaultwarden.nix
+++ b/machines/compute01/vaultwarden.nix
@ -2,6 +2,8 @@

 let
  host = "pass.dgnum.eu";
+  port = 10501;
+  wsPort = 10500;
 in
 {
  services.vaultwarden = {
@ -10,9 +12,9 @@ in
    config = {
      DOMAIN = "https://${host}";
      WEBSOCKET_ENABLED = true;
-      WEBSOCKET_PORT = 10500;
+      WEBSOCKET_PORT = wsPort;
      SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
-      ROCKET_PORT = 10501;
+      ROCKET_PORT = port;
      ROCKET_ADDRESS = "127.0.0.1";
      SIGNUPS_VERIFY = true;
      USE_SYSLOG = true;
@ -31,45 +33,38 @@ in
    environmentFile = config.age.secrets."vaultwarden-environment_file".path;
  };

-  services = {
-    nginx = {
-      enable = true;
+  dgn-web = {
+    internalPorts.vaultwarden-websockets = wsPort;

-      virtualHosts.${host} = {
-        forceSSL = true;
-        enableACME = true;
+    simpleProxies.vaultwarden = {
+      inherit host port;
+      proxyWebsockets = true;

-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:10501";
-            proxyWebsockets = true;
-          };
+      vhostConfig.locations = {
+        "/notifications/hub" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          proxyWebsockets = true;
+        };

-          "/notifications/hub" = {
-            proxyPass = "http://127.0.0.1:10500";
-            proxyWebsockets = true;
-          };
-
-          "/notifications/hub/negotiate" = {
-            proxyPass = "http://127.0.0.1:10501";
-            proxyWebsockets = true;
-          };
+        "/notifications/hub/negotiate" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
+          proxyWebsockets = true;
        };
      };
    };
+  };

-    postgresql = {
-      enable = true;
+  services.postgresql = {
+    enable = true;

-      ensureDatabases = [ "vaultwarden" ];
+    ensureDatabases = [ "vaultwarden" ];

-      ensureUsers = [
-        {
-          name = "vaultwarden";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
  };

  dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
--- a/machines/geo01/secrets/secrets.nix
+++ b/machines/geo01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo01";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo01" ] [
+  # List of secrets for geo01
+]
--- a/machines/geo02/secrets/secrets.nix
+++ b/machines/geo02/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo02";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo02" ] [
+  # List of secrets for geo02
+]
--- a/machines/rescue01/_configuration.nix
+++ b/machines/rescue01/_configuration.nix
@ -3,7 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
-    "dgn-fail2ban"
+    "dgn-web"
  ];

  enabledServices = [
@ -12,11 +12,6 @@ lib.extra.mkConfig {
  ];

  extraConfig = {
-    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
-      "sshd-bruteforce"
-      "sshd-timeout"
-    ];
-
    services.netbird.enable = true;
  };

--- a/machines/rescue01/secrets/secrets.nix
+++ b/machines/rescue01/secrets/secrets.nix
@ -1,5 +1,4 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "rescue01";
-in
-lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
+(import ../../../keys).mkSecrets [ "rescue01" ] [
+  # List of secrets for rescue01
+  "stateless-uptime-kuma-password"
+]
--- a/machines/rescue01/uptime-kuma.nix
+++ b/machines/rescue01/uptime-kuma.nix
@ -36,6 +36,7 @@ let
    "cdn.dgnum.eu"
    "saml-idp.dgnum.eu"
    "status.dgnum.eu"
+    "radius.dgnum.eu"
  ] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));

  extraProbes = {
@ -45,6 +46,16 @@ let
        accepted_statuscodes = [ "401" ];
      };

+      "ollama01.beta.dgnum.eu" = {
+        type = mkForce "http";
+        accepted_statuscodes = [ "401" ];
+      };
+
+      "s3-admin.dgnum.eu" = {
+        type = mkForce "http";
+        accepted_statuscodes = [ "400" ];
+      };
+
      "api.meet.dgnum.eu" = {
        keyword = "Crab Fit API";
      };
@ -121,24 +132,11 @@ in

  services.uptime-kuma.enable = true;

-  services.nginx = {
-    enable = true;
-
-    virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
-      };
-    };
+  dgn-web.simpleProxies.uptime-kuma = {
+    inherit host port;
+    proxyWebsockets = true;
  };

-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
  statelessUptimeKuma = {
    probesConfig = mkMerge [
      pingProbes
--- a/machines/storage01/_configuration.nix
+++ b/machines/storage01/_configuration.nix
@ -4,13 +4,12 @@ lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
    "dgn-backups"
-    "dgn-fail2ban"
    "dgn-web"
  ];

  enabledServices = [
    # List of services to enable
-    "atticd"
+    "tvix-cache"
    "forgejo"
    "forgejo-runners"
    "garage"
@ -18,11 +17,11 @@ lib.extra.mkConfig {
    "netbird"
    "peertube"
    "prometheus"
+    "redirections"
+    "victoria-metrics"
  ];

  extraConfig = {
-    dgn-fail2ban.jails.sshd-preauth.enabled = true;
-
    dgn-hardware.useZfs = true;

    services.netbird.enable = true;
--- a/machines/storage01/atticd.nix
+++ b/machines/storage01/atticd.nix
@ -1,82 +0,0 @@
-{ config, nixpkgs, ... }:
-
-let
-  host = "cachix.dgnum.eu";
-in
-{
-  services = {
-    atticd = {
-      enable = true;
-
-      credentialsFile = config.age.secrets."atticd-credentials_file".path;
-
-      settings = {
-        listen = "127.0.0.1:9090";
-        api-endpoint = "https://${host}/";
-
-        allowed-hosts = [ host ];
-
-        chunking = {
-          # The minimum NAR size to trigger chunking
-          #
-          # If 0, chunking is disabled entirely for newly-uploaded NARs.
-          # If 1, all NARs are chunked.
-          nar-size-threshold = 0; # 64 KiB
-
-          # The preferred minimum size of a chunk, in bytes
-          min-size = 16 * 1024; # 16 KiB
-
-          # The preferred average size of a chunk, in bytes
-          avg-size = 64 * 1024; # 64 KiB
-
-          # The preferred maximum size of a chunk, in bytes
-          max-size = 256 * 1024; # 256 KiB
-        };
-
-        database.url = "postgresql://atticd?host=/run/postgresql";
-
-        storage = {
-          type = "s3";
-          region = "garage";
-          bucket = "attic-dgnum";
-          endpoint = "https://s3.dgnum.eu";
-        };
-      };
-
-      useFlakeCompatOverlay = false;
-      package = nixpkgs.unstable.attic-server;
-    };
-
-    nginx = {
-      enable = true;
-
-      virtualHosts.${host} = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:9090";
-
-          extraConfig = ''
-            client_max_body_size 10G;
-          '';
-        };
-      };
-    };
-
-    postgresql = {
-      enable = true;
-
-      ensureDatabases = [ "atticd" ];
-
-      ensureUsers = [
-        {
-          name = "atticd";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-  };
-
-  systemd.services.atticd.environment.RUST_LOG = "warn";
-}
--- a/machines/storage01/forgejo-runners.nix
+++ b/machines/storage01/forgejo-runners.nix
@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  nixpkgs,
-  ...
-}:
+{ config, pkgs, ... }:

 let
  url = "https://git.dgnum.eu";
@ -36,14 +31,12 @@ in

    inherit url;

-    storePath = "/data/slow/nix";
+    storePath = "/data/slow";
    tokenFile = config.age.secrets."forgejo_runners-token_file".path;

    dependencies = [
-      pkgs.colmena
      pkgs.npins
      pkgs.tea
-      nixpkgs.unstable.nixfmt-rfc-style
    ];

    containerOptions = [ "--cpus=4" ];
--- a/machines/storage01/forgejo.nix
+++ b/machines/storage01/forgejo.nix
@ -31,6 +31,7 @@ in

        admin = {
          DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
+          SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
        };

        log.LEVEL = "Warn";
@ -44,16 +45,23 @@ in
          USER = "web-services@infra.dgnum.eu";
        };

+        session = {
+          SESSION_LIFE_TIME = 24 * 3600 * 7;
+          GC_INTERVAL_TIME = 24 * 3600 * 7;
+        };
+
        server = {
          ROOT_URL = "https://${host}/";
          DOMAIN = host;
          HTTP_ADDRESS = "127.0.0.1";
          HTTP_PORT = port;
          APP_DATA_PATH = "/var/lib/git/data";
+          OFFLINE_MODE = false;
        };

        service = {
          EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
+          EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
          ENABLE_NOTIFY_MAIL = true;

          DISABLE_REGISTRATION = false;
@ -61,22 +69,19 @@ in
        };

        ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
+
+        "cron.cleanup_actions".ENABLED = true;
+        "cron.delete_old_actions".ENABLED = true;
+        "cron.git_gc_repos".ENABLED = true;
+        "cron.update_checker".ENABLED = false;
      };

      mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
    };
+  };

-    nginx = {
-      enable = true;
-
-      virtualHosts.${host} = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-        };
-      };
-    };
+  dgn-web.simpleProxies.forgejo = {
+    inherit host port;
  };

  users.users.git = {
--- a/machines/storage01/garage.nix
+++ b/machines/storage01/garage.nix
@ -1,6 +1,13 @@
-{ config, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
+  inherit (lib) mapAttrs' nameValuePair;
+
  host = "s3.dgnum.eu";
  webHost = "cdn.dgnum.eu";

@ -8,50 +15,66 @@ let
  metadata_dir = "/data/fast/garage/meta";

  domains = [
+    "bandarretdurgence.ens.fr"
    "boussole-sante.normalesup.eu"
+    "lanuit.ens.fr"
    "simi.normalesup.eu"
  ];

  buckets = [
-    "castopod-dgnum"
-    "peertube-videos-dgnum"
+    "monorepo-terraform-state"
+
    "banda-website"
+    "castopod-dgnum"
+    "hackens-website"
+    "nuit-website"
+    "peertube-videos-dgnum"
  ] ++ domains;

  mkHosted = host: builtins.map (b: "${b}.${host}");
+
+  ports = {
+    admin_api = 3903;
+    k2v_api = 3904;
+    rpc = 3901;
+    s3_api = 3900;
+    s3_web = 3902;
+  };
 in
 {
+  dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
+
  services.garage = {
    enable = true;

-    package = pkgs.garage_0_9;
+    package = pkgs.garage_1_0_1;

    settings = {
      inherit data_dir metadata_dir;

      db_engine = "lmdb";

-      replication_mode = "none";
+      replication_mode = "none"; # TODO: deprecated
      compression_level = 7;

-      rpc_bind_addr = "[::]:3901";
-      rpc_public_addr = "127.0.0.1:3901";
+      rpc_bind_addr = "[::]:${toString ports.rpc}";
+      rpc_public_addr = "127.0.0.1:${toString ports.rpc}";

      s3_api = {
        s3_region = "garage";
-        api_bind_addr = "127.0.0.1:3900";
+        api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
        root_domain = ".${host}";
      };

      s3_web = {
-        bind_addr = "127.0.0.1:3902";
+        bind_addr = "127.0.0.1:${toString ports.s3_web}";
        root_domain = ".${webHost}";
        index = "index.html";
      };

-      k2v_api.api_bind_addr = "[::]:3904";
+      k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";

-      admin.api_bind_addr = "127.0.0.1:3903";
+      admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
    };

    environmentFile = config.age.secrets."garage-environment_file".path;
@ -63,7 +86,7 @@ in
      data_dir
      metadata_dir
    ];
-    TimeoutSec = 3000;
+    TimeoutSec = 600;
  };

  users.users.garage = {
@ -73,6 +96,17 @@ in
  users.groups.garage = { };

  services.nginx.virtualHosts = {
+    "s3-admin.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".extraConfig = ''
+        proxy_pass http://127.0.0.1:${toString ports.admin_api};
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+      '';
+    };
+
    ${host} = {
      enableACME = true;
      forceSSL = true;
@ -80,7 +114,7 @@ in
      serverAliases = mkHosted host buckets;

      locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:3900;
+        proxy_pass http://127.0.0.1:${toString ports.s3_api};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        # Disable buffering to a temporary file.
@ -96,7 +130,7 @@ in
      serverAliases = domains ++ (mkHosted webHost buckets);

      locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:3902;
+        proxy_pass http://127.0.0.1:${toString ports.s3_web};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
      '';
--- a/machines/storage01/influxdb.nix
+++ b/machines/storage01/influxdb.nix
@ -5,6 +5,7 @@ let
  token = user: secret "${user}_token_file";

  host = "influx.dgnum.eu";
+  port = 8086;
 in

 {
@ -41,13 +42,8 @@ in
    };
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:8086";
-    };
+  dgn-web.simpleProxies.influxdb = {
+    inherit host port;
  };

  age-secrets.autoMatch = [ "influxdb2" ];
--- a/machines/storage01/netbird.nix
+++ b/machines/storage01/netbird.nix
@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  nixpkgs,
+  ...
+}:
+
+let
+  domain = "netbird.dgnum.eu";
+
+  s = name: config.age.secrets.${name}.path;
+in
+{
+  services = {
+    netbird.server = {
+      enable = true;
+
+      package = nixpkgs.unstable.netbird;
+
+      inherit domain;
+
+      enableNginx = true;
+
+      coturn.enable = lib.mkForce false;
+
+      relay = {
+        environmentFile = s "netbird-relay_environment_file";
+        metricsPort = 9094;
+      };
+
+      dashboard = {
+        settings = {
+          AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
+          AUTH_AUDIENCE = "dgn_netbird";
+          AUTH_CLIENT_ID = "dgn_netbird";
+        };
+      };
+
+      management = {
+        oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
+
+        dnsDomain = "dgnum";
+
+        metricsPort = 9092;
+
+        settings = {
+          DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
+
+          PKCEAuthorizationFlow.ProviderConfig = {
+            Audience = "dgn_netbird";
+            ClientID = "dgn_netbird";
+            AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
+            TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
+          };
+
+          IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
+
+          DeviceAuthorizationFlow = {
+            Provider = "none";
+            ProviderConfig = {
+              Audience = "dgn_netbird";
+              ClientID = "dgn_netbird";
+            };
+          };
+
+          Relay = {
+            Addresses = [ "rels://${domain}:443" ];
+            CredentialsTTL = "24h";
+            Secret._secret = s "netbird-relay_secret_file";
+          };
+        };
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
+}
--- a/machines/storage01/netbird/default.nix
+++ b/machines/storage01/netbird/default.nix
@ -1,47 +0,0 @@
-{ config, ... }:
-
-let
-  domain = "netbird.dgnum.eu";
-in
-{
-  imports = [ ./module.nix ];
-
-  services.netbird-server = {
-    enable = true;
-
-    logLevel = "DEBUG";
-    enableDeviceAuthorizationFlow = false;
-    enableNginx = true;
-    enableCoturn = true;
-    setupAutoOidc = true;
-
-    management.dnsDomain = "dgnum";
-
-    secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
-
-    settings = {
-      NETBIRD_DOMAIN = domain;
-
-      TURN_PASSWORD = "tototest1234";
-
-      NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
-      NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
-
-      NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
-      NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
-      NETBIRD_AUTH_USER_ID_CLAIM = "sub";
-      # Updates the preference to use id tokens instead of access token on dashboard
-      # Okta and Gitlab IDPs can benefit from this
-      NETBIRD_TOKEN_SOURCE = "idToken";
-
-      # NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
-      #   "53000"
-      #   "54000"
-      # ];
-
-      NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
-    };
-  };
-
-  dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
-}
--- a/machines/storage01/netbird/module.nix
+++ b/machines/storage01/netbird/module.nix
@ -1,643 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib)
-    filterAttrs
-    literalExpression
-    maintainers
-    mkDefault
-    mkEnableOption
-    mkIf
-    mkMerge
-    mkOption
-    optionalAttrs
-    optionalString
-    optionals
-    types
-    ;
-
-  inherit ((import ./package { inherit pkgs; })) dashboard;
-
-  cfg = config.services.netbird-server;
-
-  stateDir = "/var/lib/netbird-mgmt";
-
-  settingsFormat = pkgs.formats.keyValue { };
-  managementFormat = pkgs.formats.json { };
-
-  settingsFile = settingsFormat.generate "setup.env" (
-    builtins.mapAttrs (
-      _: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
-    ) settings
-  );
-
-  managementFile = managementFormat.generate "config.json" cfg.managementConfig;
-
-  settings =
-    rec {
-      TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
-      TURN_PORT = 3478;
-      TURN_USER = "netbird";
-      TURN_MIN_PORT = 49152;
-      TURN_MAX_PORT = 65535;
-      TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
-      TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
-
-      STUN_USERNAME = "";
-      STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
-
-      NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
-      NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
-        builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
-      }";
-      NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
-        builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
-      }";
-
-      NETBIRD_SIGNAL_PROTOCOL = "https";
-      NETBIRD_SIGNAL_PORT = 443;
-
-      NETBIRD_AUTH_USER_ID_CLAIM = "sub";
-      NETBIRD_AUTH_CLIENT_SECRET =
-        if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
-      NETBIRD_AUTH_SUPPORTED_SCOPES = [
-        "openid"
-        "profile"
-        "email"
-        "offline_access"
-        "api"
-      ];
-
-      NETBIRD_AUTH_REDIRECT_URI = "";
-      NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
-
-      NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
-      NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
-      NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
-      NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
-        "openid"
-        "profile"
-        "email"
-        "offline_access"
-        "api"
-      ];
-      NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
-
-      NETBIRD_MGMT_API_PORT = 443;
-
-      NETBIRD_MGMT_IDP = "none";
-      NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
-      NETBIRD_IDP_MGMT_CLIENT_SECRET =
-        if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
-          "$IDP_MGMT_CLIENT_SECRET"
-        else
-          cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
-      NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
-
-      NETBIRD_TOKEN_SOURCE = "accessToken";
-      NETBIRD_DRAG_QUERY_PARAMS = false;
-
-      NETBIRD_USE_AUTH0 = false;
-
-      NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
-
-      NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
-      NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
-        p: "http://localhost:${p}"
-      ) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
-    }
-    // (optionalAttrs cfg.setupAutoOidc {
-      NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
-      NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
-      NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
-      NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
-      NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
-    })
-    // cfg.settings;
-in
-{
-  meta = {
-    maintainers = with maintainers; [ thubrecht ];
-  };
-
-  options.services.netbird-server = {
-    enable = mkEnableOption (lib.mdDoc "netbird management service.");
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.netbird;
-      defaultText = literalExpression "pkgs.netbird";
-      description = lib.mdDoc "The package to use for netbird";
-    };
-
-    settings = mkOption {
-      type =
-        with types;
-        attrsOf (
-          nullOr (oneOf [
-            (listOf str)
-            bool
-            int
-            float
-            str
-          ])
-        );
-      defaultText = lib.literalExpression ''
-        {
-          TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
-          TURN_PORT = 3478;
-          TURN_USER = "netbird";
-          TURN_MIN_PORT = 49152;
-          TURN_MAX_PORT = 65535;
-          TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
-          TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
-
-          STUN_USERNAME = "";
-          STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
-
-          NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
-          NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
-          NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
-
-          NETBIRD_SIGNAL_PROTOCOL = "https";
-          NETBIRD_SIGNAL_PORT = 443;
-
-          NETBIRD_AUTH_USER_ID_CLAIM = "sub";
-          NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
-          NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
-
-          NETBIRD_AUTH_REDIRECT_URI = "";
-          NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
-
-          NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
-          NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
-          NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
-          NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
-          NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
-
-          NETBIRD_MGMT_API_PORT = 443;
-
-          NETBIRD_MGMT_IDP = "none";
-          NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
-          NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
-          NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
-
-          NETBIRD_TOKEN_SOURCE = "accessToken";
-          NETBIRD_DRAG_QUERY_PARAMS = false;
-
-          NETBIRD_USE_AUTH0 = false;
-
-          NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
-
-          NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
-          NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
-        }
-      '';
-      description = lib.mdDoc ''
-        Configuration settings for netbird.
-        Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
-        List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
-      '';
-    };
-
-    managementConfig = mkOption {
-      inherit (managementFormat) type;
-      description = lib.mdDoc "Configuration of the netbird management server.";
-    };
-
-    idpManagerExtraConfig = mkOption {
-      type = types.attrsOf types.str;
-      default = { };
-      description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
-    };
-
-    ports.management = mkOption {
-      type = types.port;
-      default = 8011;
-      description = lib.mdDoc "Internal port of the management server.";
-    };
-
-    ports.signal = mkOption {
-      type = types.port;
-      default = 8012;
-      description = lib.mdDoc "Internal port of the signal server.";
-    };
-
-    logLevel = mkOption {
-      type = types.enum [
-        "ERROR"
-        "WARN"
-        "INFO"
-        "DEBUG"
-      ];
-      default = "INFO";
-      description = lib.mdDoc "Log level of the netbird services.";
-    };
-
-    enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
-      default = true;
-    };
-
-    enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
-
-    enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
-
-    setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
-
-    management = {
-
-      dnsDomain = mkOption {
-        type = types.str;
-        default = "netbird.selfhosted";
-        description = lib.mdDoc "Domain used for peer resolution.";
-      };
-
-      singleAccountModeDomain = mkOption {
-        type = types.str;
-        default = "netbird.selfhosted";
-        description = lib.mdDoc ''
-          Enables single account mode.
-          This means that all the users will be under the same account grouped by the specified domain.
-          If the installation has more than one account, the property is ineffective.
-        '';
-      };
-
-      disableAnonymousMetrics = mkOption {
-        type = types.bool;
-        default = true;
-        description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
-      };
-
-      disableSingleAccountMode = mkOption {
-        type = types.bool;
-        default = false;
-        description = lib.mdDoc ''
-          If set to true, disables single account mode.
-          The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
-        '';
-      };
-    };
-
-    secretFiles = {
-      TURN_PASSWORD = mkOption {
-        type = with types; nullOr path;
-        default = null;
-        description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
-      };
-
-      TURN_SECRET = mkOption {
-        type = with types; nullOr path;
-        default = null;
-        description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
-      };
-
-      STUN_PASSWORD = mkOption {
-        type = with types; nullOr path;
-        default = null;
-        description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
-      };
-
-      AUTH_CLIENT_SECRET = mkOption {
-        type = with types; nullOr path;
-        default = null;
-        description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
-      };
-
-      IDP_MGMT_CLIENT_SECRET = mkOption {
-        type = with types; nullOr path;
-        default = cfg.secretFiles.AUTH_CLIENT_SECRET;
-        defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
-        description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
-      };
-    };
-  };
-
-  config = mkMerge [
-    (mkIf cfg.enable {
-      services.netbird-server.managementConfig = with settings; {
-        Stuns = mkDefault [
-          {
-            Proto = "udp";
-            URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
-            Username = STUN_USERNAME;
-            Password = STUN_PASSWORD;
-          }
-        ];
-        TURNConfig = {
-          Turns = [
-            {
-              Proto = "udp";
-              URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
-              Username = TURN_USER;
-              Password = TURN_PASSWORD;
-            }
-          ];
-          CredentialsTTL = "12h";
-          Secret = TURN_SECRET;
-          TimeBasedCredentials = false;
-        };
-        Signal = {
-          Proto = NETBIRD_SIGNAL_PROTOCOL;
-          URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
-          Username = "";
-          Password = null;
-        };
-        Datadir = "${stateDir}/data";
-        HttpConfig = {
-          Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
-          AuthIssuer = NETBIRD_AUTH_AUTHORITY;
-          AuthAudience = NETBIRD_AUTH_AUDIENCE;
-          AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
-          AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
-          OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
-        };
-        IdpManagerConfig = {
-          ManagerType = NETBIRD_MGMT_IDP;
-          ClientConfig = {
-            Issuer = NETBIRD_AUTH_AUTHORITY;
-            TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
-            ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
-            ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
-            GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
-          };
-          ExtraConfig = cfg.idpManagerExtraConfig;
-        };
-        DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
-          Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
-          ProviderConfig = {
-            Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
-            Domain = NETBIRD_AUTH_AUTHORITY;
-            ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
-            TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
-            DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
-            Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
-            UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
-          };
-        };
-        PKCEAuthorizationFlow = {
-          ProviderConfig = {
-            Audience = NETBIRD_AUTH_AUDIENCE;
-            ClientID = NETBIRD_AUTH_CLIENT_ID;
-            ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
-            AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
-            TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
-            Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
-            RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
-            UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
-          };
-        };
-      };
-
-      services.nginx.virtualHosts = mkIf cfg.enableNginx {
-        ${cfg.settings.NETBIRD_DOMAIN} = {
-          forceSSL = true;
-          enableACME = true;
-
-          locations = {
-            "/" = {
-              root = "${stateDir}/web-ui/";
-              tryFiles = "$uri /index.html";
-            };
-
-            "/signalexchange.SignalExchange/".extraConfig = ''
-              grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
-              grpc_read_timeout 1d;
-              grpc_send_timeout 1d;
-              grpc_socket_keepalive on;
-            '';
-
-            "/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
-
-            "/management.ManagementService/".extraConfig = ''
-              grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
-              grpc_read_timeout 1d;
-              grpc_send_timeout 1d;
-              grpc_socket_keepalive on;
-            '';
-          };
-        };
-      };
-
-      systemd.services = {
-        netbird-setup = {
-          wantedBy = [
-            "netbird-management.service"
-            "netbird-signal.service"
-            "multi-user.target"
-          ];
-          serviceConfig = {
-            Type = "oneshot";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = "netbird-mgmt";
-            WorkingDirectory = stateDir;
-            EnvironmentFile = [ settingsFile ];
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
-
-          path =
-            (with pkgs; [
-              coreutils
-              findutils
-              gettext
-              gnused
-            ])
-            ++ (optionals cfg.setupAutoOidc (
-              with pkgs;
-              [
-                curl
-                jq
-              ]
-            ));
-
-          script =
-            ''
-              cp ${managementFile} ${stateDir}/management.json.copy
-            ''
-            + (optionalString cfg.setupAutoOidc ''
-              mv ${stateDir}/management.json.copy ${stateDir}/management.json
-              echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
-              curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
-
-              export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
-              export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
-              export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
-              export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
-              export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
-
-              envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
-            '')
-            + ''
-              # Update secrets in management.json
-              ${builtins.concatStringsSep "\n" (
-                builtins.attrValues (
-                  builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
-                    filterAttrs (_: p: p != null) cfg.secretFiles
-                  )
-                )
-              )}
-
-              envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
-
-              rm -rf ${stateDir}/web-ui
-              mkdir -p ${stateDir}/web-ui
-              cp -R ${dashboard}/* ${stateDir}/web-ui
-
-              export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
-              export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
-              ${optionalString (
-                cfg.secretFiles.AUTH_CLIENT_SECRET == null
-              ) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
-              export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
-              export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
-              export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
-              export USE_AUTH0="$NETBIRD_USE_AUTH0"
-              export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
-
-              export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-
-              MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
-              OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
-              mv "$MAIN_JS" "$MAIN_JS".copy
-              envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
-              envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
-            '';
-        };
-
-        netbird-signal = {
-          after = [ "network.target" ];
-          wantedBy = [ "netbird-management.service" ];
-          restartTriggers = [
-            settingsFile
-            managementFile
-          ];
-
-          serviceConfig = {
-            ExecStart = ''
-              ${cfg.package}/bin/netbird-signal run \
-                --port ${builtins.toString cfg.ports.signal} \
-                --log-file console \
-                --log-level ${cfg.logLevel}
-            '';
-            Restart = "always";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = "netbird-mgmt";
-            WorkingDirectory = stateDir;
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
-          stopIfChanged = false;
-        };
-
-        netbird-management = {
-          description = "The management server for Netbird, a wireguard VPN";
-          documentation = [ "https://netbird.io/docs/" ];
-          after = [
-            "network.target"
-            "netbird-setup.service"
-          ];
-          wantedBy = [ "multi-user.target" ];
-          wants = [
-            "netbird-signal.service"
-            "netbird-setup.service"
-          ];
-          restartTriggers = [
-            settingsFile
-            managementFile
-          ];
-
-          serviceConfig = {
-            ExecStart = ''
-              ${cfg.package}/bin/netbird-mgmt management \
-                --config ${stateDir}/management.json \
-                --datadir ${stateDir}/data \
-                ${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
-                ${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
-                --dns-domain ${cfg.management.dnsDomain} \
-                --single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
-                --idp-sign-key-refresh-enabled \
-                --port ${builtins.toString cfg.ports.management} \
-                --log-file console \
-                --log-level ${cfg.logLevel}
-            '';
-            Restart = "always";
-            RuntimeDirectory = "netbird-mgmt";
-            StateDirectory = [
-              "netbird-mgmt"
-              "netbird-mgmt/data"
-            ];
-            WorkingDirectory = stateDir;
-          };
-          unitConfig = {
-            StartLimitInterval = 5;
-            StartLimitBurst = 10;
-          };
-          stopIfChanged = false;
-        };
-      };
-    })
-
-    (mkIf cfg.enableCoturn {
-      services.coturn = {
-        enable = true;
-
-        realm = settings.NETBIRD_DOMAIN;
-        lt-cred-mech = true;
-        no-cli = true;
-
-        extraConfig = ''
-          fingerprint
-
-          user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
-          no-software-attribute
-        '';
-      };
-
-      networking.firewall = {
-        allowedUDPPorts = with settings; [
-          TURN_PORT
-          (TURN_PORT + 1)
-          5349
-          5350
-        ];
-        allowedTCPPorts = with settings; [
-          TURN_PORT
-          (TURN_PORT + 1)
-        ];
-        allowedUDPPortRanges = [
-          {
-            from = settings.TURN_MIN_PORT;
-            to = settings.TURN_MAX_PORT;
-          }
-        ];
-      };
-    })
-
-    (mkIf (cfg.enableNginx && cfg.enableCoturn) {
-      services.coturn =
-        let
-          cert = config.security.acme.certs.${settings.TURN_DOMAIN};
-        in
-        {
-          cert = "${cert.directory}/fullchain.pem";
-          pkey = "${cert.directory}/key.pem";
-        };
-
-      users.users.nginx.extraGroups = [ "turnserver" ];
-
-      # share certs with coturn and restart on renewal
-      security.acme.certs.${settings.TURN_DOMAIN} = {
-        group = "turnserver";
-        postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
-      };
-    })
-  ];
-}
--- a/machines/storage01/netbird/package/dashboard.nix
+++ b/machines/storage01/netbird/package/dashboard.nix
@ -1,31 +0,0 @@
-{
-  lib,
-  buildNpmPackage,
-  fetchFromGitHub,
-}:
-
-buildNpmPackage rec {
-  pname = "netbird-dashboard";
-  version = "1.17.6";
-
-  src = fetchFromGitHub {
-    owner = "netbirdio";
-    repo = "dashboard";
-    rev = "v${version}";
-    hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
-  };
-
-  npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
-  npmFlags = [ "--legacy-peer-deps" ];
-
-  installPhase = ''
-    cp -R build $out
-  '';
-
-  meta = with lib; {
-    description = "NetBird Management Service Web UI Panel";
-    homepage = "https://github.com/netbirdio/dashboard";
-    license = licenses.bsd3;
-    maintainers = with maintainers; [ thubrecht ];
-  };
-}
--- a/machines/storage01/netbird/package/default.nix
+++ b/machines/storage01/netbird/package/default.nix
@ -1,7 +0,0 @@
-{
-  pkgs ? import <nixpkgs> { },
-}:
-
-{
-  dashboard = pkgs.callPackage ./dashboard.nix { };
-}
--- a/machines/storage01/peertube.nix
+++ b/machines/storage01/peertube.nix
@ -4,6 +4,8 @@ let
  host = "videos.dgnum.eu";
 in
 {
+  dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
+
  services.peertube = {
    enable = true;

--- a/machines/storage01/prometheus.nix
+++ b/machines/storage01/prometheus.nix
@ -77,15 +77,9 @@ in
    ];
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${builtins.toString port}";
-      proxyWebsockets = true;
-      recommendedProxySettings = true;
-    };
+  dgn-web.simpleProxies.prometheus = {
+    inherit host port;
+    proxyWebsockets = true;
  };

  age-secrets.autoMatch = [ "prometheus" ];
--- a/machines/storage01/redirections.nix
+++ b/machines/storage01/redirections.nix
@ -0,0 +1,9 @@
+{
+  dgn-redirections = {
+    permanent = {
+      "www.lanuit.ens.fr" = "lanuit.ens.fr";
+      "lanuit.ens.psl.eu" = "lanuit.ens.fr";
+      "www.lanuit.ens.psl.eu" = "lanuit.ens.fr";
+    };
+  };
+}
--- a/machines/storage01/secrets/atticd-credentials_file
+++ b/machines/storage01/secrets/atticd-credentials_file
@ -1,30 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
-mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
-jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
-WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
-> ssh-rsa krWCLQ
-hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
-hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
-P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
-B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
-6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
-vBGnX9w0unyR//LLqrOPWA
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
-lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
-C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
-+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
-N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
-0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
-eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
-uÂ;.ÿñË>pÔïÑ–<C391>òh¸<68>2ÎŒ›}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$1»!–z<E28093>jlA‡[@;ò‚s®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—h›ò–Ã ù@%ˆŠä´›|×{	¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZD’ËÇÃ)}HŠü˜¦×ál}Sƒ‘˜ëFrn
-øL¦-wÉÑ—¼j)ê	â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
-¾¸y8óÃkñbÔy×ËäÏè‡ƒ‹¹·k’¤¨ÉÍ™ê°n/-’'ÃZ<C383>ÅŸ
 ¾îÆ¾\Ûâê‰ù†uŸÍeu®"E ±/d
--- a/machines/storage01/secrets/netbird-auth_client_secret_file
+++ b/machines/storage01/secrets/netbird-auth_client_secret_file
--- a/machines/storage01/secrets/netbird-data_store_encryption_key_file
+++ b/machines/storage01/secrets/netbird-data_store_encryption_key_file
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
+hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
+-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
+VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
+-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
+Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
+-> ssh-rsa krWCLQ
+OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
+8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
+H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
+D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
+P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
+Gy5MiJasx3nWCUYJZUL1Fw
+-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
+wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
+-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
+-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
+7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
+-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
+kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
+-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
+zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
+-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
+jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
+-> @K'k$-grease x>ie }CH4sS h|s
+bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
+--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
+1Ò¨Rq¢<>nýµ{”ýT°5?HXH1¢ Ê%‘)Í01’RGr×¿fÖNT4å2B(í);ìíÿ‰íÁœ
--- a/machines/storage01/secrets/netbird-relay_environment_file
+++ b/machines/storage01/secrets/netbird-relay_environment_file
--- a/machines/storage01/secrets/netbird-relay_secret_file
+++ b/machines/storage01/secrets/netbird-relay_secret_file
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI
+8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c
+-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE
+NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0
+-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY
+Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M
+-> ssh-rsa krWCLQ
+BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT
+iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0
+2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW
+4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR
+kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K
+b28fHveM3i5/jHrrTxWbrA
+-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc
+IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY
+-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw
+AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0
+-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws
+IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU
+-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ
+ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw
+-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM
+7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo
+-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo
+h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik
+-> ss-grease
+A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm
+yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ
+--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo
+P?j@¦Hˆ´ßš¥¼ówgêìÚ©L¥_ã+ì|Î¶ãÙ¦Ö#‘“fu#cæ¶¯„IæS†|¨À²å 4Š
--- a/Show more
+++ b/Show more
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm`